Credentials don’t start out on the dark web - they end there.  When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover? Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization. Agenda: The Threat of Stolen Credentials Reasoning Behind NIST’s Password Recommendations Ways to Manage a Password “Breach Corpus” How Blackfish Helps Organizations Follow NIST Guidelines

1. After the Data Breach: Stolen Credentials
March 7, 2018

2. Agenda
Credentials
Knowledge Base!
● NIST Password Guidelines Overview
● Implementing NIST Guidelines with Blackfish
● Q&A
Justin Richer
Coauthor of NIST Digital
Identity Guidelines
Gautam Agrawal
Product Management @
Shape Security

3. @justin__richerhttps://bspk.io/
NIST Password Guidelines
Justin Richer
Bespoke Engineering
3

4. @justin__richerhttps://bspk.io/
Security
4

5. @justin__richerhttps://bspk.io/
Passwords!
5

6. @justin__richerhttps://bspk.io/
Passwords throughout history
6

7. @justin__richerhttps://bspk.io/
“Shared secret”
7

8. @justin__richerhttps://bspk.io/
“Shared secret”
8

9. @justin__richerhttps://bspk.io/
Passwords today
9

10. @justin__richerhttps://bspk.io/
10

11. @justin__richerhttps://bspk.io/
Authorization or authentication
11

12. @justin__richerhttps://bspk.io/
NIST SP 800-63
12

13. @justin__richerhttps://bspk.io/
Levels of Assurance
13

14. @justin__richerhttps://bspk.io/
Password Guidelines
14

15. @justin__richerhttps://bspk.io/
Enforced rotation
15

16. @justin__richerhttps://bspk.io/
Complexity requirements
16

17. @justin__richerhttps://bspk.io/
word!
17

18. @justin__richerhttps://bspk.io/
At least 6 characters
18

19. @justin__richerhttps://bspk.io/
password!
19

20. @justin__richerhttps://bspk.io/
Upper and lower case
20

21. @justin__richerhttps://bspk.io/
Password!
21

22. @justin__richerhttps://bspk.io/
Numbers and symbols
22

23. @justin__richerhttps://bspk.io/
Pa$$w0rd!
23

24. @justin__richerhttps://bspk.io/
passW0rd!!
24

25. @justin__richerhttps://bspk.io/
P@ssword1!
25

26. @justin__richerhttps://bspk.io/
Entry Entropy (bits)
word 12.1
password 28.7
Password 34.8
Pa$$w0rd 36.0
p@ssW0rd! 42.9
P@ssword1 41.9
26

27. @justin__richerhttps://bspk.io/
Today’s “common knowledge”
27

28. @justin__richerhttps://bspk.io/
These are all terrible passwords
28

29. @justin__richerhttps://bspk.io/
Looking at reality
29

30. @justin__richerhttps://bspk.io/
30

31. @justin__richerhttps://bspk.io/
Everybody applies the rules differently
31

32. @justin__richerhttps://bspk.io/
Upper limits on length
32

33. @justin__richerhttps://bspk.io/
33

34. @justin__richerhttps://bspk.io/
34

35. @justin__richerhttps://bspk.io/
35

36. @justin__richerhttps://bspk.io/
36

37. @justin__richerhttps://bspk.io/
Character limitations
37

38. @justin__richerhttps://bspk.io/
38

39. @justin__richerhttps://bspk.io/
39

40. @justin__richerhttps://bspk.io/
40

41. @justin__richerhttps://bspk.io/
Difficult in mobile applications
41

42. @justin__richerhttps://bspk.io/
We thought we were fighting:
42

43. @justin__richerhttps://bspk.io/
43

44. @justin__richerhttps://bspk.io/
44

45. @justin__richerhttps://bspk.io/
What we’re actually fighting:
45

46. @justin__richerhttps://bspk.io/
Password re-use
46

47. @justin__richerhttps://bspk.io/
Breach corpuses
47

48. @justin__richerhttps://bspk.io/
Rainbow tables
48

49. @justin__richerhttps://bspk.io/
Session theft
49

50. @justin__richerhttps://bspk.io/
Hard to remember
50

51. @justin__richerhttps://bspk.io/
Easy to crack
51

52. @justin__richerhttps://bspk.io/
We should do better
52

53. @justin__richerhttps://bspk.io/
53

54. @justin__richerhttps://bspk.io/
New password guidelines
54

55. @justin__richerhttps://bspk.io/
Less reliance on passwords
55

56. @justin__richerhttps://bspk.io/
No complexity requirements
56

57. @justin__richerhttps://bspk.io/
Allow whitespace and unicode
57

58. @justin__richerhttps://bspk.io/
No upper limit on size
58

59. @justin__richerhttps://bspk.io/
correct horse battery staple!
59

60. @justin__richerhttps://bspk.io/
Entry Entropy (bits)
word 12.1
password 28.7
Password 34.8
Pa$$w0rd 36
p@ssW0rd! 42.9
P@ssword1 41.9
correct horse battery staple 104.2
60

61. @justin__richerhttps://bspk.io/
Memorize, don’t choose
61

62. @justin__richerhttps://bspk.io/
Still have minimum lengths
62

63. @justin__richerhttps://bspk.io/
✅ 🐎 🔋 🖇!
63

64. @justin__richerhttps://bspk.io/
Rotate reactively
64

65. @justin__richerhttps://bspk.io/
Hashed and salted storage
65

66. @justin__richerhttps://bspk.io/
Check against a blacklist
66

67. @justin__richerhttps://bspk.io/
Disallow common passwords
67

68. @justin__richerhttps://bspk.io/
Disallow known-broken passwords
68

69. @justin__richerhttps://bspk.io/
When do you check it?
69

70. @justin__richerhttps://bspk.io/
How do you check it?
70

71. @justin__richerhttps://bspk.io/
71

72. @justin__richerhttps://bspk.io/
Where do you get your blacklist?
72

73. @justin__richerhttps://bspk.io/
Build vs. outsource
73

74. @justin__richerhttps://bspk.io/
Complete customization
74

75. @justin__richerhttps://bspk.io/
Manage it yourself
75

76. @justin__richerhttps://bspk.io/
Where do you download it?
76

77. @justin__richerhttps://bspk.io/
Use a service?
77

78. @justin__richerhttps://bspk.io/
How do you trust that service?
78

79. @justin__richerhttps://bspk.io/
Collective benefits
79

80. Implementing NIST Guidelines with Blackfish
Gautam Agrawal

81. Where do you begin?
Password Blacklists

82. When Do You Generate The Blacklist?
2013
Yahoo
Breach
Credential Stuffing
starts
Breach
Discovered
2016
Some credentials may
be on Darknet
Typical Blacklist
generation e.g.
Darknet research firms
Blacklist generation
should start here
Stolen credentials not
available on Darknet

83. Stolen
Passwords
Detected
Breaches
Passwords
on Dark
Web
Ideal Blacklist
Universe of
Passwords
~90 Billion
(expected to grow to
300 Billion by 2020)
What Should The Blacklist Have?
Typical Blacklist

84. Password-Blacklists-as-a-Service

85. Go where stolen credentials are used first
Typical Blacklist… too little, too late.

86. Introducing Blackfish
2013
Yahoo
Breach
Credential Stuffing
starts
Breach
Discovered
2016
Some credentials may
be on Darknet
Typical Blacklist
generation e.g.
Darknet research firms
Blackfish starts list
generation here
Stolen credentials not
available on Darknet

87. How Blackfish Works
Blackfish
Knowledge Base
Credentials
Knowledge Base!Captures credentials used in Credential Stuffing attacks
Checks and informs if stolen passwords are being used

88. Largest banks
Largest federal agencies
Largest online services
Largest hotel chains
Largest airlines
Largest retailers
Why Blackfish
Stolen credentials are used against the largest targets

89. Why Blackfish
Shape protects largest enterprises that are attacked first
Shape customer network sharing
& deactivating compromised
credentials
3 of the top 5 airlines
3 of the top 4 banks
5 of the top 10 retailers
1 of the top 5 online
services2 of the top 3 government
agencies
3 of the top 5
hotels

90. Why Blackfish
Credentials
Knowledge Base! Shape detects and mitigates
credential stuffing attacks at scale:
• 500M transactions/day
• 100M logins/day

91. Most Comprehensive Blacklist (Breach Corpus)
Best Enterprise Network + Best Detection Ability
=

92. Blackfish Security
Credentials
Knowledge Base!
● Blackfish knowledge base
uses Bloom filter to transform
credentials into a binary
representation
● No need to store hashed or
clear text credentials
● Can’t be brute forced the way
hash tables can
Blackfish
Knowledge Base

93. Blackfish Capabilities
Credentials
Knowledge Base!
● Access to the most comprehensive Blacklist
● Simple API integration, directly within your web/mobile apps
● Checks for use of stolen passwords during ‘Account Create’ and
‘Password Reset’
● Checks for use of stolen passwords during ‘Login’
● Monitors enterprise domains or individual users to identify if their
credentials are breached

94. Blackfish Outcomes
Credentials
Knowledge Base!
Long Term
● Stolen credentials become less
valuable to attackers
● Credential Stuffing attacks and
fraud are reduced
Short Term
● Organizations proactively defend
themselves from attacks
● Reduced operational risk to the
organization

95. Blackfish auto-creates the right corpus
Don’t rely on the dark web