[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Tue Feb 16 13:41:05 EST 2021


On Tue, Feb 16, 2021 at 10:03 AM Rob Seastrom <rs at seastrom.com> wrote:
> None of this will address system load associated with dictionary-based password guessing attacks; in fact, applying the more relaxed locking guidelines of 800-63 might make it worse.

Hi Rob,

It has been a while since I read it but IIRC you don't lock accounts
in 800-63. Instead, you rate-limit attempts.

If a particular origin can make only one guess per second and you lock
the -origin- for a day if it makes 1000 unsuccessful attempts in a
row, even with 100,000 origins attempting to hack you the math says
that the time it takes to break a reasonably good 8-character password
is functionally infinite -- 6000 years or more. Your worst case is a
denial of service attack where distributed attempts to break the same
account repeat so continuously that the legitimate account holder
can't get through. Unless denial of service is the attacker's intent,
they quickly figure out they're not capturing any passwords and move
on.

Regards,
Bill Herrin


--
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list