Logo
Status Page
Theme
Sign up Log in
© 2025 Status Page

StatusPage.me Help Center

Popular topics: creating a status page, connecting monitors, automatic incidents, custom domains, integrations and billing.

StatusPage.me Dec 22, 2025 Account & Billing

Account Security & Password Protection

Your account security is our top priority. We’ve implemented multiple layers of protection to keep your account safe from unauthorized access and automated attacks.

Password Security

Have I Been Pwned Integration

When you create an account or change your password, we automatically check it against the Have I Been Pwned (HIBP) database to ensure your password hasn’t been compromised in known data breaches.

How it works:

  1. Your password is never sent to any external service
  2. We use a secure k-anonymity model where only the first 5 characters of your password hash are sent to HIBP
  3. HIBP returns a list of hash suffixes for breached passwords starting with those 5 characters
  4. We check locally if your password hash matches any in the returned list
  5. If a match is found, you’ll be asked to choose a different password

Why this matters:

  • Passwords that have appeared in data breaches are at high risk of being used in credential stuffing attacks
  • Even if the breach wasn’t from our service, attackers often try breached credentials across multiple sites
  • Using a unique, uncompromised password significantly increases your account security

Password Requirements

While we don’t enforce complex password rules (which often lead to weaker passwords), we do require:

  • Minimum length based on security best practices
  • Password must not have appeared in known data breaches
  • Password should be unique to this service (not reused from other accounts)

Password Best Practices

Follow these guidelines to keep your account secure:

  1. Use a password manager - Generate and store unique passwords for each service
  2. Enable Two-Factor Authentication (2FA) - Add an extra layer of security beyond your password
  3. Never reuse passwords - Each service should have a unique password
  4. Use long passphrases - “correct horse battery staple” style passwords are easier to remember and very secure

Registration Process

Account Creation

When you register for an account:

  1. Your account is created immediately after validation
  2. A verification email may be sent depending on your configuration
  3. You can start using your account right away

Localhost Development

When running the application on localhost or 127.0.0.1, CAPTCHA protection is automatically disabled for easier testing and development. In production environments, CAPTCHA protection helps prevent automated bot registrations.

Security Features

CAPTCHA Protection

Our CAPTCHA system protects your account and our service from abuse:

  • Prevents automated bot registrations in production
  • Automatically disabled on localhost for development
  • Uses honeypot fields and behavior analysis
  • Non-intrusive - won’t interrupt legitimate users

Rate Limiting

We implement rate limiting to prevent abuse:

  • Registration attempts are limited per IP address
  • Maximum 5 registration attempts per minute from the same IP
  • Helps prevent brute force attacks and spam registrations

CSRF Protection

Cross-Site Request Forgery (CSRF) protection is enabled on all forms:

  • All forms include CSRF tokens that are validated on submission
  • Tokens are validated on every form submission
  • Helps protect against malicious sites attempting to create accounts on your behalf
  • Tokens expire after a reasonable time period

Privacy & Data Protection

We take your privacy seriously and follow security best practices:

Password Storage

  • Passwords are hashed using bcrypt before storage
  • We never store your password in plain text
  • Password hashes use work factors appropriate for current computing power

HIBP Privacy

  • Password checks via HIBP use k-anonymity to protect your actual password
  • Only the first 5 characters of your password hash are sent
  • Your complete password never leaves our servers

Email Privacy

  • Email addresses are used only for account management and notifications you’ve opted into
  • We don’t sell or share your email with third parties
  • You can control what notifications you receive in your account settings

For more details about how we handle your data, see our Privacy Policy and Terms of Service.

Account Recovery

If you forget your password:

  1. Click “Forgot Password” on the login page
  2. Enter your email address
  3. Check your email for a password reset link
  4. The link expires after a set time period for security
  5. Create a new password that passes our security checks

Need Help?

If you have questions about account security or need assistance:

  • Check our other support articles in the “Account & Billing” category
  • Contact our support team through the dashboard
  • Review our Privacy Policy for detailed information about data handling

Your security is our priority, and we’re constantly working to improve our security measures while keeping the experience smooth and user-friendly.

Was this article helpful?

Share this article:

On this page

Loading table of contents...

Related Articles
Plans and Billing

Understand your subscription, upgrade, or manage payments.

Lifetime Deals

Purchase and manage your lifetime deal subscription.

Exporting Your Data

Download all your data - monitors, components, incidents, and more.

Customizing Component Severities

Define custom severity levels for your components.

Reactivating an Account During the Grace Period

How account closure works, what gets deleted, and how to reopen your account within the 60-day grace period.