Educause Security Discussion mailing list archives
NIST 800-63 Breached Passwords and HIBP
From: Josh Callahan <josh.callahan () HUMBOLDT EDU>
Date: Wed, 17 Feb 2021 10:39:37 -0800
Are others out there looking at how to implement the breached password check requirement in 800-63b? "When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised." Section 5.1.1.2. Memorized Secret Verifiers <https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype> Have I been pwned <https://haveibeenpwned.com/> provides a great anonymous API service to do this check, but I worry about it being unavailable and then we either break the ability for people to set their passwords or lose the ability to check compliance. Has anyone heard of any NIST or .edu based effort to provide redundancy for this service? I found one commercial service Enzoic <https://www.enzoic.com/nist-csf-800-63b-passwords/> that looks to do the same thing and we'll be pushing on our Identity Management vendor on this front. However, since this is a new requirement for everyone, it seems like it might be a good opportunity for community collaboration. -Josh -- Josh Callahan Information Security Officer and CTO ITS :: Humboldt State University 1 Harpst St. Arcata CA 95521 707.826.3815 Pronouns (he/him/his) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- NIST 800-63 Breached Passwords and HIBP Josh Callahan (Feb 17)
- Re: NIST 800-63 Breached Passwords and HIBP Aakash Shah (Feb 17)
- Message not available
- Re: NIST 800-63 Breached Passwords and HIBP Aakash Shah (Feb 17)