[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Tue Feb 16 12:24:21 EST 2021


On Tue, Feb 16, 2021 at 8:11 AM ARIN <info at arin.net> wrote:
> Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. Because of the protective measures currently in place, some customer accounts were locked during these attacks.  ARIN staff has been heavily engaged in mitigating these attacks, and we are seeking community feedback on potential steps ARIN can take to reduce the risk of future attacks and to help customers ensure they are using strong passwords. Password dictionary guessing attacks continue to be a problem in the industry, and this effort should help reduce the extent of previously exposed passwords for our ARIN Online user base.
>
> Password Check Proposal
>
> To help ARIN customers make sure they aren’t using a password that has been exposed and shared publicly online, when someone updates their password or creates a user account in ARIN Online, it is proposed that ARIN should check the database "haveibeenpwned (https://haveibeenpwned.com)" to see if they are trying to use a password that has been compromised. ARIN will not send the password, but rather we encrypt the password and send part of the encrypted password to the Have I been Pwned (HIBP) Service (https://haveibeenpwned.com/API/v3#PwnedPasswords) to see if it matches a compromised password.  Actual passwords are never sent or used in any query, nor is your user ID or email shared as part of this check.


NIST Special Publication 800-63 revision 3 explains how to manage
memorized secrets like passwords in a secure manner. This includes
checking a database of known compromised passwords (not an external
per-password service) and disallowing the use of passwords which
appear in that database. I strongly recommend implementing it rather
than trying to devise your own criteria. When 800-63 is properly
implemented, external password-guessing attacks are effectively
useless.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list