[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Rob Seastrom rs at seastrom.com
Tue Feb 16 13:03:28 EST 2021 


> On Feb 16, 2021, at 12:24 PM, William Herrin <bill at herrin.us> wrote:
> 
>  I strongly recommend implementing it rather
> than trying to devise your own criteria. When 800-63 is properly
> implemented, external password-guessing attacks are effectively
> useless.


That has been in the suggestion box for over two years as "ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations".  It's all in there in 800-63, account locking guidelines, password length and composition...  I concur with Bill's suggestion that we not try to roll our own here.

Not opposed to querying with partial hashes (not "encrypted passwords") against haveibeenpwned, but if we demand passwords of at least 20 characters in length (not the bare minimum of 8 as specified in 800-63B 5.1.1.2) with no further requirements for special characters or rotation, I suspect in practice we will never see a match.

Note that either forcing longer passwords or the solution proffered in the original consultation can only be applied at password change time; neither can be applied retroactively to all passwords presently in the password store.  Any deployment of a new policy should be accompanied by a forced password change for users so that the test can be made.  To avoid annoying our constituency with multiple forced password changes, I'd rather not see this done iteratively - that is to say, we should figure out the plan and execute it once.

Allowing passwords that have been changed to a password of sufficient length to be subject to more relaxed account locking rules, or even none at all if MFA is enabled...  could reduce staff costs associated with locked account recovery.

None of this will address system load associated with dictionary-based password guessing attacks; in fact, applying the more relaxed locking guidelines of 800-63 might make it worse.

-r


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210216/095bc9a8/attachment.htm>

More information about the ARIN-consult mailing list