[ARIN-consult] [arin-announce] Consultation on Password Security for ARIN Online Accounts
William Herrin
bill at herrin.us
Tue Feb 16 15:14:14 EST 2021
On Tue, Feb 16, 2021 at 11:44 AM Scott Leibrand <scottleibrand at gmail.com> wrote:
> I’m not sure if there is any good way to build a local DB of all compromised passwords: IIUIC, HIBP has a number of non-public databases they check as well as the more widely known ones. Based on that, I support checking against HIBP.
Hi Scott,
Public sources like
https://github.com/danielmiessler/SecLists/tree/master/Passwords are
generally good enough. The overlap between the delta vs. private
dictionaries and passwords actually in your database is likely to be
too small to yield a match given reasonable rate limiting on attempts.
Pre-apply common morphs (iI1!, aA@, etc), remove passwords shorter
than the 8-char minimum length and add to a common hash-based database
like Berkley DB and you end up with a file that's under a gigabyte in
size. Easily kept on your auth server and performantly consulted.
I've done this. I've gotten a DoD system accredited based on doing this.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the ARIN-consult
mailing list