To protect you from this risk, we’ve integrated with Have I Been Pwned—a trusted security service that maintains one of the largest and most up-to-date databases of passwords found in data breaches.
How it works
When you create or update a password, our system safely checks whether that password appears in the Have I Been Pwned database.
Your actual password is never sent or stored externally.
The check is done using a secure, privacy-preserving method.
If the password has been found in any known breaches, you’ll be asked to choose a different one.
Why you might be prompted to change your password
If you receive a message that your password was found in a breach, it doesn't necessarily mean your personal account was compromised, but it does mean that the exact password you chose has been leaked somewhere on the internet.
Even if that breach happened years ago on a completely unrelated site, using the same password again makes your accounts vulnerable. If your password has been breached, it’s not safe to use.
To better protect and improve the security of user accounts, we've implemented a password policy that all passwords must adhere to.
The policy is as follows:
- Must be at least 8 characters
- Cannot have 3 or more repeated characters in a row (i.e. 111, aaa, etc)
- Cannot have 3 or more sequential characters in a row (i.e. 1234, abcd, etc.)
- Cannot contain the word "onechurch" or the account subdomain.
- Password must not have been exposed in a known data breach.
A password used to log in to One Church Software must not have been exposed in a known data breach. Once a password has been compromised—even if it’s from a different service or platform—it becomes dramatically less secure. Attackers often try stolen passwords across multiple sites in an attempt to gain access to other accounts.