<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007C5tGfCAJOkta Classic EngineAuthenticationAnswered2022-05-28T08:44:00.000Z2021-09-22T23:17:25.000Z2021-10-19T20:31:39.000Z

JamieE.16593 (Customer) asked a question.

September 22, 2021 at 11:17 PM
Okta fails NIST requirements to properly check passwords against known breached passwords.

NIST has a requirement to not allow passwords that have previously been breached:

```

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses.

```

 

However, in my testing, Okta's feature "Restrict use of common passwords" in the password policy fails to catch some of the most egregiously compromised known passwords.

 

For one example, I tested the password "thisismypassword" which not only includes the word "password, " it has shown up 3,081 times in the haveibeenpwned database. I was able to create this password for my user in Okta, even with "Restrict use of common passwords" enabled on my password policy.

 

/help/servlet/rtaImage?refid=0EM4z0000027ddg

 

What database is Okta referencing for its common passwords check? Will Okta be expanding this database any time soon? Perhaps including the haveibeenpwned.com database?

  • 2 answers
  • 2.11K views
JoshuaG.33762 likes this.

  • catalin.padurariu1.5651159814697478E12 (Vendor Management)

    Hello !

     

    Thank you for reaching out to the Okta Community. 

     The feature indicates whether to check passwords against a common password dictionary. 

    We've complied list of over 10M passwords from variety of sources (breached, sprayed, etc.) and narrowed it to the most common ones (around 100k).

    Please note that we continuously monitor the security landscape in the industry, update the list (we currently do not have a schedule for updating this list, but will update it ad hoc as more data becomes available) and it will not be made public.

     

    As of now, Okta will NOT share that data. We can share our process, but sharing which passwords we detect allows attackers to know which passwords to skip. Additionally, we reserve the right to change that list at any time.

    Expand Post

  • User16322539307295004267 (Shape Therapeutics)

    Dear Catalin,

     

    This is not a useful answer. The customer above, and my organization as well, are attempting to comply with NIST requirements and Okta is not able to support that requirement today with the current ~100k list.

     

    When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

    • Passwords obtained from previous breach corpuses.

     

    REQUEST: Expand the list to include known compromised passwords from password breaches. The haveibeenpwned.com database is one such example source of these passwords.

     

    Thank you!

    Expand Post
This question is closed.
Loading
Okta fails NIST requirements to properly check passwords against known breached passwords.