-
Be the first to like this
Upcoming SlideShare
Updated Password Guidance from NIST
- 1. Updated Password Guidance from NIST NIST SP800-63B HTTPS://PAGES.NIST.GOV/800-63-3/SP800-63B.HTML @JOELMLEO JOEL.LEO@GMAIL.COM MAHALOS HI TECH HUI! HTTPS://WWW.HITECHHUI.COM/
- 2. Memorized Secret Authenticators (passwords) Section 5.1.1.1 “Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed. A rationale for this is presented in Appendix A Strength of Memorized Secrets."
- 3. Key Points for Passwords Removes periodic password change requirements Removes algorithmic complexity requirements Screen new passwords against commonly used or compromised passwords First two are pretty easy to handle, but the last one is less so. Let’s dig in to that one
- 4. How can we screen passwords against known-bad? Password black lists are great, but we need to make use of them to show their value Haveibeenpwned.com (Troy Hunt) API integration with many other services and apps API requires a subscription, which is $3.50/mo currently NIST Bad Passwords https://github.com/cry/nbp Open source, but not maintained. Last commit was @ 2 years ago
- 5. Commercial Solutions Enzoic https://www.enzoic.com/ Specops Password Blacklist https://specopssoft.com/support- docs/specops-password-policy/reference-material/specops-password- blacklist/ PasswordRBL https://www.passwordrbl.com/ nFront Password Filter https://nfrontsecurity.com/products/nfront- password-filter/
- 6. Azure AD Password Protection Azure AD Password Protection https://docs.microsoft.com/en- us/azure/active-directory/authentication/concept-password-ban-bad-on- premises Works on-prem Requires an agent installed on all covered domains' DCs Requires a proxy service running on a member server Requires Azure AD Premium P1 ($6/user/mo) or P2 ($9/user/mo) license for on- prem and for custom banned password lists for cloud-only users. Azure AD Free licenses can only use the global banned list for cloud-only users. There are questions around whether each user within AD, sync'd to AAD or not, requires any sort of licensing
- 7. Azure AD Password Protection Photo: Courtesy of Microsoft
- 8. There are bound to be security issues. Here are some. If the agent isn’t installed on all DCs for a domain, password changes against the ones without will not be validated against the blacklists This also means “bring your own DC” attacks circumvent the blacklists Passwords changed by modifying the AD database (NTDS.dit) offline will not be validated against the blacklists DSRM passwords will not be validated Interaction with password self service tools could pose problems Others?
- 9. QA
Be the first to comment