Credentials don’t start out on the dark web - they end there.
When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?
Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.
Agenda:
The Threat of Stolen Credentials
Reasoning Behind NIST’s Password Recommendations
Ways to Manage a Password “Breach Corpus”
How Blackfish Helps Organizations Follow NIST Guidelines
82. When Do You Generate The Blacklist?
2013
Yahoo
Breach
Credential Stuffing
starts
Breach
Discovered
2016
Some credentials may
be on Darknet
Typical Blacklist
generation e.g.
Darknet research firms
Blacklist generation
should start here
Stolen credentials not
available on Darknet
87. How Blackfish Works
Blackfish
Knowledge Base
Credentials
Knowledge Base!Captures credentials used in Credential Stuffing attacks
Checks and informs if stolen passwords are being used
88. Largest banks
Largest federal agencies
Largest online services
Largest hotel chains
Largest airlines
Largest retailers
Why Blackfish
Stolen credentials are used against the largest targets
89. Why Blackfish
Shape protects largest enterprises that are attacked first
Shape customer network sharing
& deactivating compromised
credentials
3 of the top 5 airlines
3 of the top 4 banks
5 of the top 10 retailers
1 of the top 5 online
services2 of the top 3 government
agencies
3 of the top 5
hotels
92. Blackfish Security
Credentials
Knowledge Base!
● Blackfish knowledge base
uses Bloom filter to transform
credentials into a binary
representation
● No need to store hashed or
clear text credentials
● Can’t be brute forced the way
hash tables can
Blackfish
Knowledge Base
93. Blackfish Capabilities
Credentials
Knowledge Base!
● Access to the most comprehensive Blacklist
● Simple API integration, directly within your web/mobile apps
● Checks for use of stolen passwords during ‘Account Create’ and
‘Password Reset’
● Checks for use of stolen passwords during ‘Login’
● Monitors enterprise domains or individual users to identify if their
credentials are breached
94. Blackfish Outcomes
Credentials
Knowledge Base!
Long Term
● Stolen credentials become less
valuable to attackers
● Credential Stuffing attacks and
fraud are reduced
Short Term
● Organizations proactively defend
themselves from attacks
● Reduced operational risk to the
organization