search

usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
701 stars 102 forks source link

More options for populating a list of forbidden passwords #98

Closed UppaJung closed 8 years ago

UppaJung commented 8 years ago

Organization: Microsoft Research

Type: 2

Reference (Include section and paragraph number): 5.1.1.2 paragraph 4

"When processing requests to establish and change memorized secrets, verifiers SHOULD compare the prospective secrets against a dictionary of known commonly-used and/or compromised values. This list SHOULD include passwords from previous breach corpuses, as well as dictionary words and specific words (such as the name of the service itself) that users are likely to choose."

Comment (Include rationale for comment):

For services that track failed login attempts to identify passwords frequently-guessed by attackers, the list should also contain these passwords.

Suggested Change:

"When processing requests to establish and change memorized secrets, verifiers SHOULD compare the prospective secrets against a dictionary of known commonly-used, guessed, and/or compromised values. This list SHOULD include passwords from sites that track their own users' frequently-chosen passwords, previous breach corpuses which attackers are known to use to identify frequently-chosen passwords, frequently-guessed passwords identified by sites that track passwords from failed login attempts, as well as dictionary words and specific words (such as the name of the service itself) that users are likely to choose."

Organization: 1 = Federal, 2 = Industry, 3 = Other

jimfenton commented 8 years ago

Storage by a site of its users' frequently-chosen passwords and frequently-attempted incorrect passwords is problematic. Collection of frequently-chosen passwords requires their storage in other than a salted/hashed form, which is not permitted, and presents a significant risk if breached. Frequently-guessed passwords are generally in the compromised values dictionary already (since that is one thing that attackers will use); collecting additional incorrect passwords from the site is problematic because it will often include typos of correct passwords.

UppaJung commented 8 years ago

Hi Jim,

The problem with relying only breach data is that there are site-specific common passwords that you'll miss if you only look at passwords from other websites. Frequently-guessed passwords are sometimes different than the passwords you'll see in dictionaries of compromised passwords.

Further, there are data structures that address the risk of tracking frequently-used or frequently-guessed passwords, addressing the exact problem you are concerned about.

jimfenton commented 8 years ago

The current language, specifically "specific words (such as the name of the service itself) that users are likely to choose" covers all of these cases without being over-prescriptive. It's not appropriate for the document to specify too specifically what the source of all of the entries on the memorized secret blacklist might be.