Re: NIST 800-63 Breached Passwords and HIBP

[Aakash Shah <aakash.shah () UCI EDU>]

We are using a similar product called SafePass<https://safepass.me/> that we implemented for our Microsoft environment. 
While SafePass uses the Have I Been Pwned (HIBP) list as a source, the list is stored locally on each DC and hence does 
not rely on HIBP (or the Internet) being available at all times. With this model though, SafePass does need to be 
updated every 6-12 months when a new HIBP list is released.

-Aakash Shah

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Josh Callahan
Sent: Wednesday, February 17, 2021 10:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NIST 800-63 Breached Passwords and HIBP

Are others out there looking at how to implement the breached password check requirement in 800-63b?

"When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets 
against a list that contains values known to be commonly-used, expected, or compromised."
Section 5.1.1.2. Memorized Secret Verifiers<https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype>

Have I been pwned<https://haveibeenpwned.com/> provides a great anonymous API service to do this check, but I worry 
about it being unavailable and then we either break the ability for people to set their passwords or lose the ability 
to check compliance.  Has anyone heard of any NIST or .edu based effort to provide redundancy for this service?

I found one commercial service Enzoic<https://www.enzoic.com/nist-csf-800-63b-passwords/> that looks to do the same 
thing and we'll be pushing on our Identity Management vendor on this front.  However, since this is a new requirement 
for everyone, it seems like it might be a good opportunity for community collaboration.

-Josh

--
Josh Callahan
Information Security Officer and CTO
ITS :: Humboldt State University
1 Harpst St. Arcata CA 95521  707.826.3815

Pronouns (he/him/his)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community