[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Rob Seastrom rs at seastrom.com
Tue Feb 16 17:59:15 EST 2021



> On Feb 16, 2021, at 1:41 PM, William Herrin <bill at herrin.us> wrote:
> 
> On Tue, Feb 16, 2021 at 10:03 AM Rob Seastrom <rs at seastrom.com> wrote:
>> None of this will address system load associated with dictionary-based password guessing attacks; in fact, applying the more relaxed locking guidelines of 800-63 might make it worse.
> 
> Hi Rob,
> 
> It has been a while since I read it but IIRC you don't lock accounts
> in 800-63. Instead, you rate-limit attempts.

You do both.  

800-63b 5.2.2 Rate Limiting (Throttling) says:
Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100.

And yes, there's an ACSP suggestion in on this:

https://www.arin.net/participate/community/acsp/suggestions/2020/2020-16/

-r




More information about the ARIN-consult mailing list