Look, Ma, No Passwords: How & Why Blackfish uses Bloom Filters

When NIST issued guidelines in 2017 advising organizations to check new users’ credentials against a password “breach corpus,” one of the first questions was how to ensure the breach corpus itself didn’t get compromised.

Shape’s game-changing product, Blackfish, solved that problem by designing a patented approach to credential storage involving Bloom filters.

What is a Bloom filter?

A “Bloom filter” is a probabilistic data structure which can be queried for set membership, but which cannot be used to reproduce the original data that defines the set. This makes the construct ideal for storing highly sensitive data such as login credentials.

Bloom filters work by performing multiple hashes against the input datum, translating each of these resulting hash values to an index value of a bit-field. Since the same input value results in the same bit positions for each hash, if all matching fields are already set, then the item in question has probably been seen before.

For example, let’s say there are three pieces of data that are added to a Bloom filter:

Red

Blue

Green

Using the Bloom filter’s hashing algorithm, they will become

Red: <1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0>

Blue: <0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0>

Green: <0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0>

Now the Bloom filter set will be

Set: <1,0,0,1,0,0,0,1,1,1,0,1,1,0,0,0>

So then one might want to query whether “black” is in the dataset. Using the hashing algorithm, “black” becomes

Black: <1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0>.

Because there is no 1 in the 5th bit position in the aggregate Bloom filter set, we know “black” is not part of the set.

How does Blackfish use Bloom filters?

Blackfish uses Bloom filters to safely determine whether queried credentials were previously identified by Blackfish as compromised.

When a credential stuffing attack is observed on a Shape customer’s website or mobile app, Shape AI identifies the credentials used by the attacker and considers them compromised. The username and password pairs are then hashed, salted, re-hashed, and added to the Bloom filter. Once added to the set, the original credentials are destroyed.

Every time a login request is made on a Blackfish customer’s website or mobile app, Blackfish hashes the username and password combination and then checks the credential against the Bloom filter to determine if that particular username and password pair is part of the Bloom filter’s set.

If the credentials are found to be a match in the Bloom filter, Blackfish notifies the customer so that they can take appropriate action; e.g., temporarily suspend the account, force a password reset, etc.

How is a knowledge base built on Bloom filters safer from attack than a database of hashed passwords?

The underlying bitfield of a Bloom filter represents the entire set of all information about all supplied data. This means that portions of the datastore are not useful for providing meaningful amounts of information about any fraction of that data. For example, if an attacker got his hands on half of the Bloom filter set in the example above, he would not be able to leverage it in an attack, even if he had access to the hashing algorithm. All he would be able to do is determine if a certain username and password pair was not in the compromised credential set. That isn’t of much value to an attacker attempting to identify valid credentials!

Contrast this scenario with one in which an attacker gains access to a correctly salted, hashed, and/or encrypted row of a password database. With enough time and compute power (made much cheaper thanks to Bitcoin and its need for inexpensive SHA256 hashes), it is relatively straightforward to decrypt the subset of passwords via brute force.

How “sure” can a Bloom filter be?

As a probabilistic structure, there is error inherent in the Bloom filter as a storage medium. It is possible for an item to be identified as a member of the set when it was not added, if all of the hash indices return values that were set by some other member of the set. The likelihood of this “false positive” determination being correct is a function of the size of the bit array, the number of items stored in the array, and the number of hashed performed per item. However, the datastore can be sized such that the desired level of precision is maintained, even when the datastore reaches saturation.

The likelihood that the Blackfish Bloom filter implementation will produce a false positive result is less than one in a million.

Should every organization be using Bloom filters to store passwords?

Bloom filters are a fantastic solution for secure storage of passwords when checking for password reuse; but, because of the potential for false-positives, however small, they are ill-suited for credential validation.

Blooms filters work well for applications where the consequences of a false positive determination are small. For example, Google’s Chrome web browser uses a Bloom filter as a first level screen of suspicious URLs, and positive results are subjected to a second level test to confirm the issue before a warning is issued to the user.

In Blackfish’s use case, in the one in a million chance of a false positive, an enterprise falsely believes that a user’s password is compromised and takes an appropriate action. If an enterprise were to use a Bloom filter for their own password storage that would be used to authenticate users, a false positive could mean allowing a non-authorized user access to someone else’s account.

Care to learn more? Visit shapesecurity.com/blackfish or contact blackfish@shapesecurity.com to set up a demo.

How Much Does Credential Stuffing Cost Your Business?

Eight years ago, there wasn’t even a term for the practice of testing consumers’ stolen credentials against multiple e-commerce sites to see if they’ll enable account takeovers (ATOs) and other forms of fraud. Now, the US consumer banking industry alone faces nearly $50 million per day in potential losses due to credential stuffing attacks, while online retail is experiencing losses of about $6 billion per year.

While these numbers are certainly disturbing, many readers will be asking themselves, “What does this mean for my company?” Our new Credential Stuffing Calculator can help answer that question.

Our calculator was developed based on the results of our recently released 2018 Credential Spill Report. This report includes comprehensive statistics on the sources, targets, internal workings and, most importantly for the calculator, financial consequences of credential stuffing.

The calculator provides an estimate of the financial risk for any company doing business with customers via a website or mobile APIs, based on the following variables:

Total daily login attempts
Percentage of logins that are credential stuffing attacks
Percentage of those attacks that result in an ATO
Percentage of ATOs that result in financial loss
Average dollar loss per ATO
Other costs per ATO. These may include fees, consultants, investigations, financial penalties and negative impact on the brand.

Automated for Convenience

Obviously, most companies that aren’t customers of Shape Security won’t know what numbers to enter in the calculator’s fields for variables 2 through 5. Even companies that have implemented IP blocks or other “I am not a robot” technologies can’t be sure about these numbers because today’s most sophisticated (and most successful) attackers use technology that can easily defeat traditional security measures.

For this reason, our Credential Stuffing Calculator automatically fills in these variables for the four most frequently attacked industry sectors: consumer banking, retail (e-commerce), airlines and hotel chains, based on industry data we’ve gathered and analyzed in the course of protecting literally billions of accounts. (Some users will probably be shocked at the percentage of logins in their industry that are both automated and hostile.)

In addition to the automatic fill-in feature, variables 2 through 5 can also be manually adjusted. This allows users to calculate upper and lower limits to the estimated risk, i.e. worst case and best case scenarios. This also enables users outside of the four target industries to enter values that seem appropriate.

Variable 6, Other costs per ATO, is a somewhat softer number, but these costs are often very high. For example, according to one study, a third of the companies that experienced a major data breach in 2016 lost 20 percent of their customers. Beyond damage to a brand’s reputation, there are fines, notification costs and remediation costs for IT systems that also come into play.

Evaluating the Result

The Credential Stuffing Calculator lets companies quantify their risk, based on statistical averages calculated from actual industry data, and gives them a ballpark number to help them decide how much they should consider spending to protect themselves (and their customers) against credential stuffing. The 2018 Credential Spill Report provides even more information to help companies understand the precise nature of the threat facing them.

Credential stuffing is a relatively new problem, and it’s serious. Understanding how it works and quantifying its consequences are critical steps for companies that want to fight back.

Try the Credential Stuffing Calculator now.

How Starbucks Combats Account Takeover (ATO)

Account Takeovers (ATOs) and credential stuffing represent a huge threat to the retail industry. In fact, they pose major problems for any vertical in which customers tend to reuse passwords for multiple accounts. Password reuse makes compromised credentials even more valuable to cyber criminals.

Starbucks recognized this threat more than four years ago, before it was well understood by the industry at large. As Starbucks Director of InfoSec Mike Hughes said in a recent Shape Security webcast, “We started to put eyes on the issue in 2013, looking at it holistically as a problem for the industry and, as a member of the industry, something we would be facing and dealing with.”

Traditional Approaches Fail to Stop ATO

Before 2014, Starbucks relied on traditional security approaches such as throttle rate limits, web application firewalls (WAFs) and IP blocking via CDN bolt-on solutions. None of these worked against persistent and highly sophisticated credential-stuffing attacks. “We had short periods of small efficacy,” said Hughes, “but then came the retooling [by the attackers], and we wouldn’t be able to contain the attack for more than eight to ten hours.” The result was a Whack-A-Mole situation, with a new attack cropping up the moment the old one was blocked.

Shape Enterprise Defense contained the attackers decisively, said Hughes.”We were able to put blocks in place that had a lasting effect.”

Fighting Sophisticated Hackers Takes Total Focus

Shape’s total focus on security is key to its long-term efficacy, Hughes said. He characterized the blocking of bots as “a data analytics problem that needs to be addressed continuously, not a milestone where you achieve protection and then you’re done.” In Hughes’ view, the bolt-on solutions of CDN providers are not sufficient, because “their primary investment structures are around the CDN, not security.” Purpose-built solutions, like Shape’s, have the requisite focus.

Another differentiator for Shape is its advanced signal collection and analysis, which is necessary to deal with today’s hard-to-detect attacks. “If we look back to 2013 or 2014, we saw very bursty attacks,” said Hughes. “They had all sorts of flags. Now, the effort criminals will go to use a headless browser with tools such as PhantomJS to mimic signal telemetry is incredible. They are getting very advanced at masking.”

He also pointed out the value of Shape’s customer base, which includes banking and other verticals beyond retail — enabling Shape to train its ML models with the most advanced attack dataset and create higher efficacy countermeasures. “The broader footprint of other verticals that you can apply back to the data creates more efficacy. When you take a financial institution’s attack profile and risk surface for ATO and train the model against the one for retailers, you’re actually enhancing [your efforts] in a way that you can’t with a simple algorithm.”

With Shape’s Blackfish, Starbucks Can Identify Compromised Credentials

By adding Shape’s Blackfish product, Starbucks further bolstered its security posture. Through patented technology, Blackfish stores mathematical representations of known compromised credentials (not the credentials themselves) obtained from its extensive customer network. It can therefore identify compromised credentials in near real time, even before a breach has been discovered. This collective defense against fraud gives Starbucks customers proactive protection from the threat of an ATO.

“Blackfish gives us the ability to remediate customer issues before the customer experiences them,” said Hughes. “It’s a proactive approach to taking care of security and the customer.” When Starbucks becomes aware of a problem, it notifies customers and suggests an immediate password reset.

Securing Benefits Beyond Security

In addition to sustained efficacy in the real-time blocking of attacks, Hughes cited two other important Shape benefits. One was ease of deployment.

“There was zero effort required from the development teams to place the solution inline,” said Hughes, “and very little effort required from the infrastructure and data center teams. When you can go from no data transiting the devices to full block in less than two weeks, that’s a win. I have no other vendors who can get there that quickly.”

I have no other vendors who can get there that quickly.

A second benefit was reduced infrastructure load. “Looking holistically across retail, upwards of ninety percent of login activity is non-human bot traffic. That means you’re creating tremendous amounts of load. Blocking that means a significant ease on the infrastructure.”

Fraud Isn’t Going Away

The risk of cybercrime and internet fraud has become a fact of life for every transaction involving the internet, and there’s no end in sight. As Hughes put it, “The barrier to entry is so low, the return is so high and the risk of being caught is so low, this isn’t going away.” Starbucks is engaged in a long-term battle to block bots, ATO and credential stuffing attacks — and Shape plans to be there every step of the way.

[ Watch the full video ]

How Cybercriminals Monetize Ecommerce Fraud

E-commerce fraud has grown to the point where it’s a now a bigger drain on retail profits than shoplifting or inventory shrinkage. Based on the information we’ve gathered defending many of the largest retailers, banks and airlines in the world against cyber crime, there are three attack modes that carry particularly high risks for retailers:

Account takeover (credential stuffing)
Fake account creation
Gift card cracking

Ecommerce chargeback costs for retailers, the biggest financial hit associated with account takeovers, have now reached $40 billion per year. Fake account creation and gift card cracking, while less well documented, also result in substantial losses.

All three of these attack modes rely on compromised authentication credentials and their rapid monetization. Credential theft carried out on the scale that’s common today requires considerable time and effort, not to mention technical skill. Why do cyber crime organizations persist? One of our customers, Starbucks Director of InfoSec Mike Hughes, has a simple answer. “The risk is so low, and the reward is so high.”

He’s right. The take for a successful bank robbery runs between $5,000 and $7,000 at best. In 2016 there were eight deaths associated with bank robberies. Seven of them were the perpetrator. The same amount of money could be obtained by cracking between 100 and 150 gift cards (at an average value of about $45 per card), and the risk of being caught, much less killed, is almost zero.

Here’s a closer look at how cyber crime organizations monetize the results of their three favorite attacks.

Account Takeover

The bad actors who engage in credential stuffing to gain control of credit card accounts don’t always monetize those compromised accounts directly. In one common theft chain model, they sell the card information to brokers, who add value by sorting them geographically, determining credit limits and even purchase histories in some cases.

These brokers in turn sell the cards to so-called “carders,” typically in lots of one hundred or one thousand. The carders may use the compromised cards to make high value purchases, most often electronics such as flat screen TVs or smart phones. In this case, the goods are usually shipped to a new address where “mules” aggregate the illegitimate purchases and ship them overseas to be sold at perhaps 50 percent of their market value.

In a variant of this scheme, carders create fake physical cards which they supply to mules who actually make in-store purchases, although this method obviously carries more risk than CNP transactions. Carders may also engage in refund fraud.

Fake Account Creation

Creating fake accounts, also known as synthetic fraud, is a growing problem now that chip-bearing EMV credit cards are gaining traction. Creating fake accounts at scale requires automation or low-wage workers often referred to as “mechanical Turks,” but the rewards can be high. One monetization scheme cashes in on new-account promotions, whose value can be substantial, particularly when a cyber crime organization is dealing with hundreds of fake cards at any given time.

Another scheme is a long game, where fake cards are used to make small purchases and paid off every month until their credit limits grow. Fraudsters can then max out the fake card on high-value items, running up a bill they will never pay.

Gift Card Cracking

There are several monetization options for compromised gift cards. Cards can simply be sold for cash via legitimate card exchange sites that may offer rates as high as 60 percent of a card’s value. Other sites enable cyber crime organizations to auction off cards to the highest bidder.

The worst case scenario is when a gift card is connected to another account, such as a credit card account. In this case, fraudsters can use the gift card to drain the connected account.

Beyond monetization, gift cards have two other functions. It’s not uncommon for fraudsters to transfer money from a stolen credit card to a gift card before spending it, because this makes the transaction harder to tracer. Gift cards are also a very convenient vehicle for money laundering.

The Bottom Line Is the Bottom Line

Cyber criminal organizations, like legitimate businesses, have a strong focus on the bottom line. They engage in account takeover, fake account creation and gift card cracking because these activities are extremely lucrative. As long as they can continue to reap huge profits, they will pose a continuing threat.

To learn more about the mechanics of these attacks, and how they can be stopped in their tracks before any loss occurs, watch our newest webinar, The 3 Most Expensive Types of eCommerce Fraud.

World Password Day keeps coming and going, but password reuse sticks around

Password reuse allows fraudsters to use credentials stolen on one website to take over accounts on other sites.

It’s World Password Day again, the day created to herald the guardians of our corporate secrets, personal correspondence, medical information, purchasing information and, of course, our money.

The scary fact is this: As guardians of our identity, passwords aren’t doing a very good job. As a matter of fact, according to the most recent edition of the Verizon Data Breach Investigations Report, 81 percent of the breaches involved stolen or weak passwords. Why aren’t passwords protecting our accounts the way they should?

Good passwords are hard to create and easy to forget

On the IT side, password issues are the number-two problem faced by help desks, second only to, “My printer won’t print.” And, for businesses as a whole, password issues are a major source of friction, especially for retail transactions. A recent UK study indicates that strict password rules can lead to a checkout abandonment rate of 18.75%—almost one in five buyers. For users, the picture is just as bad. According to an Intel study, the average individual has 27 passwords. The same study reported that 37% of us forget at least one password per week, not that we need statistics to confirm that remembering passwords is difficult.

And this difficulty leads to one of the most common—and dangerous—password practices around: password reuse. Almost half of us use the same password on multiple accounts. This means that, more often than not, the theft of one password will compromise multiple accounts.

Passwords are not going away any time soon

If passwords are so much trouble and lead to so much risk, why do they still play such a dominant role in security? The answer is, at least for now, that no better alternative exists.

Multi-factor authentication (MFA) is often put forth as a solution to the shortcomings of passwords, but MFA itself has problems. To begin with, it adds friction to every transaction. Biometric authentication reduces friction, but woe to those whose biometric credentials are compromised: You can’t change your fingerprints or your iris image. You can’t change your mother’s maiden name, either, which is why challenge questions aren’t a perfect solution; their answers can also be stolen. Token-based MFA, meanwhile, is inconvenient, especially when the token is a physical object that can be forgotten, lost or stolen.

Undiscovered stolen passwords are a big problem

High-profile breaches at companies like Equifax, Anthem, and Yahoo have put the problem of stolen passwords in the headlines. In response, companies have set up password defenses—but they tend to do so only after discovering a breach.The window of time between breach and discovery can be weeks, even months—and it’s during this window that companies and their consumers face the most risk.

The greatest window of risk is the period of time between the date of the breach and the date of its discovery.

During this period, neither users nor the breached organizations (retail chains, banks, etc.) are aware that there’s a problem. Cybercrime organizations have free reign to pilfer the vulnerable account—and they do. Then, when they’re finished extracting as much value as they can, they post the stolen passwords on the dark web, where other criminals can buy and use them on as many sites as they can. The monetization of stolen passwords, carried out at scale via the use of automated attacks such as credential stuffing, costs more than $10 billion in fraud losses annually.

Protecting customers from themselves

Living in the password economy comes with certain responsibilities. Among them, we must prevent fraudsters from using stolen credentials on any web site as soon as they’re stolen. Shape Security’s Blackfish technology does just that.

Here’s how it works. Shape Security protects more than 1.4 billion user accounts at some of the world’s largest brands from automated attacks. We know immediately when a password at one of these sites has been compromised. Blackfish, in turn, can immediately alert companies when a stolen password is used on their web or mobile applications. Then companies can take action such as a forced password reset, a step-up authentication flow, or placement on a watch list.

Say goodbye to World Password Day?

By lowering the success rate of automated attacks, Blackfish actually changes the economics of these forms of cybercrime. When success rates drop, so do the profits of the organizations perpetrating them. They may be forced to shut down operations—or at least look to cause trouble elsewhere.

Maybe one day we can say goodbye to World Password Day.

How Big Banks Fight Online Fraud

Three top strategies fraudsters use against banks—and how they can be defeated.

When it comes to cybercrime, banks have a target on their back. In fact, financial institutions in general are one of the prime hunting grounds for hacking organizations. In 2017 there were 134 data breaches in the banking industry, resulting in 3.1 million compromised records. Equifax, one of the three largest credit agencies in the U.S., suffered a breach involving as many as 143 million consumers.

While the exploits that hit major brands make the news, small institutions are by no means safe. In 2016, banks and credit unions with less than $35 million in annual revenue accounted for 81 percent of hacking and malware breaches at financial institutions, up from 54 percent the year before.

Shape protects three of the top four banks in the U.S. Working with them has given us important insights into the current threats that banks are most likely to encounter, and the defensive strategies that work. After tackling the biggest threat, account takeover via credential stuffing, the most common online fraud problems stem from man-in the browser attacks, relationships with financial aggregators, and manual attacks using stolen identities.

Man-in-the-Browser

Man-in-the-browser (MITB) attacks are initiated by client desktops, laptops, smartphones and other devices that have become infected with malware inadvertently downloaded by a user—typically by clicking on a malicious link in an email. Once in place, the malware continuously watches all the web traffic on the user’s device. When the user’s browser downloads a page from a bank that’s been targeted for attack, the malware interposes itself between the bank’s web application and the user’s browser.

Sitting between the two, it can do whatever it wants and remain undetected. It can pretend to be the user and send unauthorized transactions. It can modify transactions, e.g. by changing the beneficiary details on a payment. It can also scrape PII and user credentials.

One of the most difficult problems with MITB exploits is the fact that they originate from the client’s device, over which banks have no control. Many banks believe that multi-factor identification (MFA) can foil MITB. This is not always the case, as digital wallet start-up Zelle learned the hard way. When that company was attacked, the malware allowed the fraudsters to loiter until end users authenticated themselves using MFA, and then manipulated their transactions.

Financial Aggregators

By consolidating information from multiple financial accounts in one place, financial aggregators make it easy for their customers to get a global picture of where they stand and easily track their spending. But with this convenience comes a significant security risk.

Shape has observed that aggregators make up 20% of a typical bank’s traffic and log in 2.5 times as often as real users. Furthermore, banks themselves often relax their security procedures when dealing with an aggregator. As a result, bad actors use aggregators as a backdoor into banks because they know their traffic is much less likely to be blocked.

For large banks, tracking login patterns is a key weapon against aggregator-based fraud. The trick is to distinguish between good and bad traffic. Shape Security solutions achieve this through the use of real-time statistical analysis and pattern recognition. When a suspicious pattern reveals an exploit in progress, this information can be used to trigger a defensive response.

Manual Fraud

Fraudsters typically use manual methods to apply for credit cards using stolen identities. They buy “fullz” files on the dark web that include a credit card number, CVV and expiration date, plus the cardholder’s name, address, email address, SSN and even security question responses. With this information, fraudsters could easily indulge in an online shopping spree, or apply for new cards, changing only the physical and email addresses. Fraudsters can typically apply for a few dozen cards per day, or they can use human farms and complete several hundred card applications per day. Once they get approvals, they can have access to thousands of dollars per card.

Learn How Shape Fights Fraud

Join our live threat briefing: How 3 of the Top 4 US Banks Defeat Account Takeover & Manage Aggregators as we go into detail about the tactics big banks use to protect their customers, and how all banks can leverage this knowledge to fight fraudsters and win. Sign up now

Complying with NIST Guidelines for Stolen Passwords

It seems everyone today is talking about stolen passwords, but this is an older problem than people realize. Protecting your enterprise from credential stuffing attacks and account takeover as a result of stolen credentials is at the heart of the discussion—and as more business moves online it’s an increasingly expensive problem.

The Stolen Password

During the final phase of the Peloponnesian War, ¹ a series of tactical errors led to the defeat of the superior Athenian forces. Among the many errors was an inadequate identification system, reliant on a shared watchword. At the final and crucial battle of Syracuse, the besieged Syracusan army discovered the Athenian watchword that was used for identifying allies. Quietly disseminating this password between them, the Syracusan forces created havoc during a nighttime battle, preventing the dazed Athenian forces from identifying ally from foe and ultimately leading to their devastation.²

Step forward a few thousand years to the 1960s, when limited computing resources at MIT resulted in the Compatible Time-Sharing System. Given the limited power of computers at the time, a short phrase was the simplest way to identify users on the platform. But, the first password breach soon followed when in 1962 Allan Sherr, looking for a way to increase his allotted time on the platform, managed to request a printout of the entire password file.³

Since then, the history of the password remains consistently problematic. Passwords are complicated, easily forgotten, and usually represent a single point of failure. Wake up to find your password compromised and the results, although not quite as devastating as for the Athenians, can often be financially or socially shattering. In efforts to make passwords themselves more secure, increasingly arbitrary rules on their construction have been enforced. Unfortunately, these rules often force users to adopt practices that directly contradict the intent, driving users to adopt the same password across websites,⁴⁵⁶ or preventing the use of tools like password managers.

Meanwhile, despite growing awareness of multi-factor authentication systems, statistics around adoption rates are difficult to find and are widely thought to be worryingly low.

Introducing NIST

NIST (or the National Institute of Standards and Technology) is a non-regulatory United States Government Agency with a mission to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”⁷ Within this mandate, NIST has established the NIST Cybersecurity Framework. The original intent was to develop a voluntary framework to help organizations manage cybersecurity risk across critical infrastructure, but the framework has been adopted much more widely throughout the world. Of particular interest is the four-volume Special Publication 800-63 on Digital Identity Guidelines which is available on the NIST Website and NIST GitHub. It includes:

Password Guidance, the In-and-Out

Section 10.2 of 800-63B includes updated rules which contradict much of the conventional wisdom on passwords.

In:

Support passwords of at least 64 characters, allow spaces, and encourage users to make passwords as long as possible to encourage the use of passphrases.
Compare new passwords to a dictionary and don’t allow common, easily-guessed passwords (such as password, abc123, etc.).
Offer the option to display the password, rather than dots or asterisks.

Out:

Don’t enforce composition rules (no more: your password should include upper and lower case characters, and at least one number). These encourage passwords with the illusion of complexity, like Passw0rd, which any dictionary attack will take into account.
Don’t use password hints, as users tend to populate these hints with enough information to make guessing the password trivial. Instead, focus on supporting easily memorized passwords and phrases.
Don’t expire passwords unless there’s a user request or evidence of authenticator compromise.
Don’t use Knowledge Based Authentication (e.g. what was the name of your childhood pet?).
Don’t use SMS as a 2-Factor Authentication method.

Updated Password Storage Guidance

NIST also includes guidance on encryption and storage of user passwords. As we’ve seen from previous breaches, weak and reversible encryption lets attackers access vast sets of credentials that can easily be used against other sites⁸. To limit the effect of breaches on other sites, NIST recommends that:

Passwords should be salted and hashed using a suitable one-way key derivation function.
Use approved key derivation function PBKDF2 using SHA-1, SHA-2, or SHA-3 with at least 10,000 iterations.

Breach Corpuses

The appendix of 800-63b lays out some hard truths about the choices we make as users:

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.

Maintaining a list of compromised credentials from previous breaches is a noble effort, but there are a number of factors to balance. For example, Facebook attracted criticism when it announced in 2016 that it had been purchasing credentials from the dark web⁹ in order to secure its own users. Such purchases could effectively help power the market, funding and encouraging further breaches and supporting the black market credential ecosystem. Plus, the huge window of time that exists between a data breach and the eventual emergence of the stolen credentials means that traditional breach corpus lists are often ineffective – and that’s something Shape Security is addressing with Blackfish. Shape co-founder Sumit Agarwal explains it best:

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Of course, once you’ve found a way to compile it, a vast list of the freshest credentials is itself a major target, so to minimize risk (as well as ensure absolute compliance with regulations such as GDPR), Shape does not store any direct username/password pairs but instead leverages a probabilistic data structure called a Bloom filter.

Conclusion

As Jim Fenton, one of the publication contributors, points out, “If it’s not user friendly, users cheat.”¹⁰ Frustrating password policies have been long overdue for an overhaul and the new NIST Digital Identity Guidelines rightly place the burden upon the verifier, not the user. While verifiers of users should ensure they’re following the guidelines to give users the best chance of securing their accounts, they should also take additional steps to ensure that security breaches originating from outside their own organization are stopped before they create more damage closer to home. In light of the recent FTC ruling on credential stuffing, it might be more than just best practices that encourage verifiers to comply.

To learn more about NIST guidelines, stolen credentials and the breach corpus, watch “After the Data Breach” – a live webinar with Justin Richer, co-author of NIST Special Publication 800-63B.

________________

[1] https://en.wikipedia.org/wiki/Peloponnesian_War

[2] http://perseus.uchicago.edu/perseus-cgi/citequery3.pl?dbname=GreekTexts&getid=1&query=Thuc.%207.44.6

[3] https://it.slashdot.org/story/12/01/28/024220/how-allan-scherr-hacked-around-the-first-computer-password

[4] https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/

[5] https://www.infoworld.com/article/2623504/data-security/study-finds-high-rate-of-password-reuse-among-users.html

[6] https://mashable.com/2017/02/28/passwords-reuse-study-keeper-security/

[7] https://www.nist.gov/director/pao/nist-general-information

[8] https://medium.com/shape-security/2017-credential-spill-report-1ec31c411472

[9] https://www.csoonline.com/article/3142404/security/security-experts-divided-on-ethics-of-facebooks-password-purchases.html

[10] https://www.slideshare.net/jim_fenton/toward-better-password-requirements