[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Michael Richardson mcr at sandelman.ca
Thu Feb 18 12:05:16 EST 2021


> Password Check Proposal

> To help ARIN customers make sure they aren’t using a password that has been
> exposed and shared publicly online, when someone updates their password or
> creates a user account in ARIN Online, it is proposed that ARIN should
> check the database "haveibeenpwned (https://haveibeenpwned.com)" to see if
> they are trying to use a password that has been compromised. ARIN will not
> send the password, but rather we encrypt the password and send part of the
> encrypted password to the Have I been Pwned (HIBP) Service
> (https://haveibeenpwned.com/API/v3#PwnedPasswords) to see if it matches a
> compromised password.  Actual passwords are never sent or used in any
> query, nor is your user ID or email shared as part of this check.

I don't really understand this "encrypt" the password.
I think that this means to hash it, and then send the hash.
I think that we can all understand that.  Encrypt implies that it can be decrypted.

> 3.	Issue warning message that requires the customer to select and set a
> different password immediately.

This seems like the best situation, but there are issues when this is a
password shared among a few operators.  In particular, what we don't want is
for one person to be forced to change the password under duress of getting
their work done, and then picking another password which they then email to
their colleagues.

I personally miss the days of sending PGP signed emails to update objects.
It seems that the entire movement to the web interface has resulted in less
security rather than more.  Of course, very few actually used PGP.

The alternative today should be TLS Client side certificates.
There are many operational complexicities in maintaining them, but given that
we web properties that have varieties of:
  1) 2FA
  2) ACL for this IP address only
  3) password complexity rules such that I need to use the same browser

that really, Client side certificates seem almost trivial now.
Can we have this option please?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210218/4d5a069f/attachment.sig>


More information about the ARIN-consult mailing list