[ARIN-consult] [arin-announce] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Tue Feb 16 15:14:14 EST 2021


On Tue, Feb 16, 2021 at 11:44 AM Scott Leibrand <scottleibrand at gmail.com> wrote:
> I’m not sure if there is any good way to build a local DB of all compromised passwords: IIUIC, HIBP has a number of non-public databases they check as well as the more widely known ones. Based on that, I support checking against HIBP.

Hi Scott,

Public sources like
https://github.com/danielmiessler/SecLists/tree/master/Passwords are
generally good enough. The overlap between the delta vs. private
dictionaries and passwords actually in your database is likely to be
too small to yield a match given reasonable rate limiting on attempts.

Pre-apply common morphs (iI1!, aA@, etc), remove passwords shorter
than the 8-char minimum length and add to a common hash-based database
like Berkley DB and you end up with a file that's under a gigabyte in
size. Easily kept on your auth server and performantly consulted.

I've done this. I've gotten a DoD system accredited based on doing this.

Regards,
Bill Herrin



-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list