[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Rob Seastrom
rs at seastrom.com
Tue Feb 16 17:59:15 EST 2021
> On Feb 16, 2021, at 1:41 PM, William Herrin <bill at herrin.us> wrote:
>
> On Tue, Feb 16, 2021 at 10:03 AM Rob Seastrom <rs at seastrom.com> wrote:
>> None of this will address system load associated with dictionary-based password guessing attacks; in fact, applying the more relaxed locking guidelines of 800-63 might make it worse.
>
> Hi Rob,
>
> It has been a while since I read it but IIRC you don't lock accounts
> in 800-63. Instead, you rate-limit attempts.
You do both.
800-63b 5.2.2 Rate Limiting (Throttling) says:
Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100.
And yes, there's an ACSP suggestion in on this:
https://www.arin.net/participate/community/acsp/suggestions/2020/2020-16/
-r
More information about the ARIN-consult
mailing list