[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Owen DeLong owen at delong.com
Wed Feb 17 11:03:41 EST 2021 

Wouldn’t a 2FA system built on OAUTH2 alllwing users to use google auth, ubikey, or a variety of other one-time or cryptographically secure authentication methods afford greater protection with less risk?

Owen


> On Feb 16, 2021, at 09:25, William Herrin <bill at herrin.us> wrote:
> 
> On Tue, Feb 16, 2021 at 8:11 AM ARIN <info at arin.net> wrote:
>> Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. Because of the protective measures currently in place, some customer accounts were locked during these attacks.  ARIN staff has been heavily engaged in mitigating these attacks, and we are seeking community feedback on potential steps ARIN can take to reduce the risk of future attacks and to help customers ensure they are using strong passwords. Password dictionary guessing attacks continue to be a problem in the industry, and this effort should help reduce the extent of previously exposed passwords for our ARIN Online user base.
>> 
>> Password Check Proposal
>> 
>> To help ARIN customers make sure they aren’t using a password that has been exposed and shared publicly online, when someone updates their password or creates a user account in ARIN Online, it is proposed that ARIN should check the database "haveibeenpwned (https://haveibeenpwned.com)" to see if they are trying to use a password that has been compromised. ARIN will not send the password, but rather we encrypt the password and send part of the encrypted password to the Have I been Pwned (HIBP) Service (https://haveibeenpwned.com/API/v3#PwnedPasswords) to see if it matches a compromised password.  Actual passwords are never sent or used in any query, nor is your user ID or email shared as part of this check.
> 
> 
> NIST Special Publication 800-63 revision 3 explains how to manage
> memorized secrets like passwords in a secure manner. This includes
> checking a database of known compromised passwords (not an external
> per-password service) and disallowing the use of passwords which
> appear in that database. I strongly recommend implementing it rather
> than trying to devise your own criteria. When 800-63 is properly
> implemented, external password-guessing attacks are effectively
> useless.
> 
> Regards,
> Bill Herrin
> 
> 
> -- 
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.

More information about the ARIN-consult mailing list