NIST Says Nix the Compromised Creds!

It’s not like we haven’t said it before. Passwords are vulnerable to breach attacks. Passwords can be easy to guess, passwords can be hacked using random password generators, and once a password is breached in one system it can often be used to breach another system because users notoriously reuse passwords for multiple systems.

Governments are recognizing how vulnerable their citizens are to cyberattacks and are starting to get involved. In fact, in the United States, the National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce has published a set of Digital Identity Guidelines which includes an Authentication and Lifecycle Management publication that was first published in June of 2017 and was updated as recently as March of 2020.

They have specifically recommended that organizations take a few simple steps to prevent simple password attacks.

There are several different types of cyberattacks that take advantage of weak passwords and the users who use passwords across multiple sites:

  • Brute Force Attacks try random combinations of characters and numbers to “guess” the credentials for a user login. They basically bombard a login page with possible credentials until they get through. The less complex a user’s password is the more likely a brute force attack is to be successful.
  • Dictionary Attacks use known passwords, commonly used passwords to try and “guess” a user’s password and get in. The fact that many users use passwords like “12345678” or “password” makes dictionary attacks effective.
  • Credential Stuffing uses known usernames and passwords that have been hacked to get into accounts. Since users are likely to use the same credentials such as a particular email address and a meaningful password to them for multiple applications, credential stuffing is quite efficient. This year a COMB, or the Compilation of Many Breaches database was discovered with over 3.2 billion username and password combinations that were compiled from previous breaches. That data has been available on the dark web for cybercriminals to use as they wish.

The NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, recommends that “passwords chosen by users be compared against a “deny list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.” By implementing this type of check against user passwords, you will have put formidable barriers up against the types of password attacks that are most common: brute force attacks, dictionary attacks and credential stuffing.

OneLogin’s SmartFactor AuthenticationTM can ensure that your users do not use easy-to-guess passwords or credentials that have been stolen from other systems. SmartFactor Authentication includes two options that fulfill these NIST recommendations:

  1. Dynamic Password Deny List
  2. Compromised Credential Check

Dynamic Password Deny List

Dynamic Password Deny List enables administrators to prevent users from using particular common passwords as their passwords or even embedded in their passwords. For example, you can block “password” from being used as well as “password123” or any other password with the word “password” in it somewhere. You can also prevent them from using some of their own data such as their first name or the company they work for within their password.

Compromised Credential Check

Compromised Credential Check actually compares users credentials both username and password or even just their password against lists of known breached credentials. This would render lists such as that COMB database useless for cybercriminals to use in order to breach your system.

We all need to be more vigilant as administrators, developers and users in protecting our data and our systems. Though the types of protections we have described here such as implementing a compromised credential check are not required in every industry or in every country, preventing user breaches can save you time and money in the long run. Following recommendations like the NIST’s Digital Identity Guidelines will help take the first steps.

About the Author

Alicia Townsend

For almost 40 years, Alicia Townsend has been working with technology as both a consultant and a trainer. She has a passion for empowering others to use technology to make their lives easier. As Director of Content and Documentation at OneLogin, Ms. Townsend works with technical writers, trainers and content marketing writers to inspire and empower everyone to take advantage of what OneLogin’s platform has to offer them.

Related Articles