Educause Security Discussion mailing list archives
Re: NIST 800-63 Breached Passwords and HIBP
From: Aakash Shah <aakash.shah () UCI EDU>
Date: Thu, 18 Feb 2021 03:10:30 +0000
We are using a similar product called SafePass<https://safepass.me/> that we implemented for our Microsoft environment. While SafePass uses the Have I Been Pwned (HIBP) list as a source, the list is stored locally on each DC and hence does not rely on HIBP (or the Internet) being available at all times. With this model though, SafePass does need to be updated every 6-12 months when a new HIBP list is released. -Aakash Shah From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Josh Callahan Sent: Wednesday, February 17, 2021 10:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] NIST 800-63 Breached Passwords and HIBP Are others out there looking at how to implement the breached password check requirement in 800-63b? "When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised." Section 5.1.1.2. Memorized Secret Verifiers<https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype> Have I been pwned<https://haveibeenpwned.com/> provides a great anonymous API service to do this check, but I worry about it being unavailable and then we either break the ability for people to set their passwords or lose the ability to check compliance. Has anyone heard of any NIST or .edu based effort to provide redundancy for this service? I found one commercial service Enzoic<https://www.enzoic.com/nist-csf-800-63b-passwords/> that looks to do the same thing and we'll be pushing on our Identity Management vendor on this front. However, since this is a new requirement for everyone, it seems like it might be a good opportunity for community collaboration. -Josh -- Josh Callahan Information Security Officer and CTO ITS :: Humboldt State University 1 Harpst St. Arcata CA 95521 707.826.3815 Pronouns (he/him/his) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- NIST 800-63 Breached Passwords and HIBP Josh Callahan (Feb 17)
- Re: NIST 800-63 Breached Passwords and HIBP Aakash Shah (Feb 17)
- Message not available
- Re: NIST 800-63 Breached Passwords and HIBP Aakash Shah (Feb 17)