Tuesday, July 5, 2022
  • ‘ChinaDan’ Hacks 1 BILLION Police Records from Shanghai: 23TB of PII for Sale
  • What Is a Zero-Day Attack?
  • Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson
  • Robert M. Lee’s & Jeff Haas’ Little Bobby Comic – ‘WEEK 388’
  • Reverse Kill Chain Automation — Next Level of Incident Response Service.

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Events
    • Upcoming Events
    • Upcoming Webinars
    • On-Demand Events
    • On-Demand Webinars
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • Techstrong Group
    • Container Journal
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About Us

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network 

Home » Security Bloggers Network » Complying with NIST Guidelines for Stolen Passwords

SBN

Complying with NIST Guidelines for Stolen Passwords

by Chris Fuller on March 1, 2018

It seems everyone today is talking about stolen passwords, but this is an older problem than people realize. Protecting your enterprise from credential stuffing attacks and account takeover as a result of stolen credentials is at the heart of the discussion—and as more business moves online it’s an increasingly expensive problem.

The Stolen Password

During the final phase of the Peloponnesian War, 1 a series of tactical errors led to the defeat of the superior Athenian forces. Among the many errors was an inadequate identification system, reliant on a shared watchword. At the final and crucial battle of Syracuse, the besieged Syracusan army discovered the Athenian watchword that was used for identifying allies. Quietly disseminating this password between them, the Syracusan forces created havoc during a nighttime battle, preventing the dazed Athenian forces from identifying ally from foe and ultimately leading to their devastation.2

DevOps Connect:DevSecOps @ RSAC 2022

Step forward a few thousand years to the 1960s, when limited computing resources at MIT resulted in the Compatible Time-Sharing System. Given the limited power of computers at the time, a short phrase was the simplest way to identify users on the platform. But, the first password breach soon followed when in 1962 Allan Sherr, looking for a way to increase his allotted time on the platform, managed to request a printout of the entire password file.3

Since then, the history of the password remains consistently problematic. Passwords are complicated, easily forgotten, and usually represent a single point of failure. Wake up to find your password compromised and the results, although not quite as devastating as for the Athenians, can often be financially or socially shattering. In efforts to make passwords themselves more secure, increasingly arbitrary rules on their construction have been enforced. Unfortunately, these rules often force users to adopt practices that directly contradict the intent, driving users to adopt the same password across websites,456 or preventing the use of tools like password managers.

Meanwhile, despite growing awareness of multi-factor authentication systems, statistics around adoption rates are difficult to find and are widely thought to be worryingly low.

Introducing NIST

NIST (or the National Institute of Standards and Technology) is a non-regulatory United States Government Agency with a mission to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”7 Within this mandate, NIST has established the NIST Cybersecurity Framework. The original intent was to develop a voluntary framework to help organizations manage cybersecurity risk across critical infrastructure, but the framework has been adopted much more widely throughout the world. Of particular interest is the four-volume Special Publication 800-63 on Digital Identity Guidelines which is available on the NIST Website and NIST GitHub. It includes:

  • 800-63-3: Digital Authentication Guideline (overview)
  • 800-63A: Enrollment & Identity Proofing
  • 800-63B: Authentication & Lifecycle Management
  • 800-63C: Federation & Assertions

Password Guidance, the In-and-Out

Section 10.2 of 800-63B includes updated rules which contradict much of the conventional wisdom on passwords.

In:

  • Support passwords of at least 64 characters, allow spaces, and encourage users to make passwords as long as possible to encourage the use of passphrases.
  • Compare new passwords to a dictionary and don’t allow common, easily-guessed passwords (such as password, abc123, etc.).
  • Offer the option to display the password, rather than dots or asterisks.

Out:

  • Don’t enforce composition rules (no more: your password should include upper and lower case characters, and at least one number). These encourage passwords with the illusion of complexity, like Passw0rd, which any dictionary attack will take into account.
  • Don’t use password hints, as users tend to populate these hints with enough information to make guessing the password trivial. Instead, focus on supporting easily memorized passwords and phrases.
  • Don’t expire passwords unless there’s a user request or evidence of authenticator compromise.
  • Don’t use Knowledge Based Authentication (e.g. what was the name of your childhood pet?).
  • Don’t use SMS as a 2-Factor Authentication method.

Updated Password Storage Guidance

NIST also includes guidance on encryption and storage of user passwords. As we’ve seen from previous breaches, weak and reversible encryption lets attackers access vast sets of credentials that can easily be used against other sites8. To limit the effect of breaches on other sites, NIST recommends that:

  • Passwords should be salted and hashed using a suitable one-way key derivation function.
  • Use approved key derivation function PBKDF2 using SHA-1, SHA-2, or SHA-3 with at least 10,000 iterations.

Breach Corpuses

The appendix of 800-63b lays out some hard truths about the choices we make as users:

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.

Maintaining a list of compromised credentials from previous breaches is a noble effort, but there are a number of factors to balance. For example, Facebook attracted criticism when it announced in 2016 that it had been purchasing credentials from the dark web9 in order to secure its own users. Such purchases could effectively help power the market, funding and encouraging further breaches and supporting the black market credential ecosystem. Plus, the huge window of time that exists between a data breach and the eventual emergence of the stolen credentials means that traditional breach corpus lists are often ineffective – and that’s something Shape Security is addressing with Blackfish. Shape co-founder Sumit Agarwal explains it best:

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Of course, once you’ve found a way to compile it, a vast list of the freshest credentials is itself a major target, so to minimize risk (as well as ensure absolute compliance with regulations such as GDPR), Shape does not store any direct username/password pairs but instead leverages a probabilistic data structure called a Bloom filter.

Conclusion

As Jim Fenton, one of the publication contributors, points out, “If it’s not user friendly, users cheat.”10 Frustrating password policies have been long overdue for an overhaul and the new NIST Digital Identity Guidelines rightly place the burden upon the verifier, not the user. While verifiers of users should ensure they’re following the guidelines to give users the best chance of securing their accounts, they should also take additional steps to ensure that security breaches originating from outside their own organization are stopped before they create more damage closer to home. In light of the recent FTC ruling on credential stuffing, it might be more than just best practices that encourage verifiers to comply.

To learn more about NIST guidelines, stolen credentials and the breach corpus, join us March 7th for “After the Data Breach” – a live webinar with Justin Richer, co-author of NIST Special Publication 800-63B.
________________
[1] https://en.wikipedia.org/wiki/Peloponnesian_War
[2] http://perseus.uchicago.edu/perseus-cgi/citequery3.pl?dbname=GreekTexts&getid=1&query=Thuc.%207.44.6
[3] https://it.slashdot.org/story/12/01/28/024220/how-allan-scherr-hacked-around-the-first-computer-password
[4] https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/
[5] https://www.infoworld.com/article/2623504/data-security/study-finds-high-rate-of-password-reuse-among-users.html
[6] https://mashable.com/2017/02/28/passwords-reuse-study-keeper-security/
[7] https://www.nist.gov/director/pao/nist-general-information
[8] https://medium.com/shape-security/2017-credential-spill-report-1ec31c411472
[9] https://www.csoonline.com/article/3142404/security/security-experts-divided-on-ethics-of-facebooks-password-purchases.html
[10] https://www.slideshare.net/jim_fenton/toward-better-password-requirements

*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Chris Fuller. Read the original post at: https://blog.shapesecurity.com/2018/03/01/complying-with-nist-guidelines-for-stolen-passwords/

March 1, 2018March 1, 2018 Chris Fuller account takeover, automated attacks, credential stuffing, NIST, security bloggers network, Security Trends
  • ← Avast scores 100% in Windows antivirus endpoint protection test
  • XKCD, Interaction →

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Most Read on the Boulevard

Using AI/ML to Secure the Hybrid Workforce
Inching Toward Defend Forward
Disgruntled Law School Applicant’s Cyberharassment Ends With Narrow Court Ruling
CISO Talk EP 22 – Diversity, Equity and Inclusion in Security – TechStrong TV
‘ChinaDan’ Hacks 1 BILLION Police Records from Shanghai: 23TB of PII for Sale
Vulnerability & Patch Roundup — June 2022
This Week in Malware—Python Cryptominers, 345 Dependency Confusion Packages
Security champions and DevSecOps: Invicti at Infosecurity Europe 2022
Five Eyes Cyber Security Predictions
Security BSides Athens 2022 – Jessica Roussou’s ‘Hearty Welcome To Security BSides Athens 2022’

Upcoming Webinars

Mon 18

Kubernetes Security

July 18 @ 1:00 pm - 2:00 pm
Tue 19

Finding the Ransomware Threat INSIDE Your Backups

July 19 @ 3:00 pm - 4:00 pm
Mon 25

Applying the 2022 Open Source Findings to Software Supply Chain Risk Management

July 25 @ 3:00 pm - 4:00 pm
Wed 27

How to Shift Security Left: Best Practices From a Fortune 500 DevSecOps Leader

July 27 @ 1:00 pm - 2:00 pm
Aug 30

CISO Talk Master Class Episode: Catch Lightning in a Bottle – The Essentials: Bringing It All Together

August 30 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

The State of Cloud Native Security 2020

Industry Spotlight

HIPAA FAIL: ~33% of Hospital Websites Send PII to Facebook
Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response Industry Spotlight Most Read This Week Network Security News Popular Post Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

HIPAA FAIL: ~33% of Hospital Websites Send PII to Facebook

June 17, 2022 Richi Jennings | Jun 17 0
Cars in the Crosshairs: Automakers, Regulators Take on Cybersecurity
Cybersecurity Governance, Risk & Compliance Industry Spotlight IoT & ICS Security Security Awareness Security Boulevard (Original) Threat Intelligence 

Cars in the Crosshairs: Automakers, Regulators Take on Cybersecurity

May 23, 2022 Mike Hodge | May 23 Comments Off on Cars in the Crosshairs: Automakers, Regulators Take on Cybersecurity
Establishing a Root of Trust in Embedded Linux and IoT
Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) Vulnerabilities 

Establishing a Root of Trust in Embedded Linux and IoT

April 18, 2022 Anita Buehrle | Apr 18 Comments Off on Establishing a Root of Trust in Embedded Linux and IoT

Top Stories

‘ChinaDan’ Hacks 1 BILLION Police Records from Shanghai: 23TB of PII for Sale
Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Incident Response Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

‘ChinaDan’ Hacks 1 BILLION Police Records from Shanghai: 23TB of PII for Sale

July 5, 2022 Richi Jennings | 1 hour ago 0
Attackers Work Hard to Engineer Trust; SharePoint, OneDrive Accounts at Risk
Cloud Security Cybersecurity Featured Identity & Access News Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Vulnerabilities 

Attackers Work Hard to Engineer Trust; SharePoint, OneDrive Accounts at Risk

July 5, 2022 Teri Robinson | 7 hours ago 0
Google Launches Advanced API Security to Combat API Threats 
Featured News Security Boulevard (Original) Spotlight 

Google Launches Advanced API Security to Combat API Threats 

June 30, 2022 Nathan Eddy | Jun 30 0

Security Humor

Robert M. Lee's & Jeff Haas' Little Bobby Comic - 'WEEK 388’

Robert M. Lee’s & Jeff Haas’ Little Bobby Comic – ‘WEEK 388’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Container Journal
  • DevOps.com
  • Techstrong Research
  • Techstrong TV
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
  • Digital Anarchist
Powered by Techstrong Group
Copyright © 2022 Techstrong Group Inc. All rights reserved.