NIST 800-63 Breached Passwords and HIBP

[Josh Callahan <josh.callahan () HUMBOLDT EDU>]

Are others out there looking at how to implement the breached password
check requirement in 800-63b?

"When processing requests to establish and change memorized secrets,
verifiers SHALL compare the prospective secrets against a list that
contains values known to be commonly-used, expected, or compromised."
Section 5.1.1.2. Memorized Secret Verifiers
<https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype>


Have I been pwned <https://haveibeenpwned.com/> provides a great anonymous
API service to do this check, but I worry about it being unavailable and
then we either break the ability for people to set their passwords or lose
the ability to check compliance.  Has anyone heard of any NIST or .edu
based effort to provide redundancy for this service?

I found one commercial service Enzoic
<https://www.enzoic.com/nist-csf-800-63b-passwords/> that looks to do the
same thing and we'll be pushing on our Identity Management vendor on this
front.  However, since this is a new requirement for everyone, it seems
like it might be a good opportunity for community collaboration.

-Josh

-- 
Josh Callahan
Information Security Officer and CTO
ITS :: Humboldt State University
1 Harpst St. Arcata CA 95521  707.826.3815

Pronouns (he/him/his)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community