[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Michael Richardson
mcr at sandelman.ca
Thu Feb 18 14:18:06 EST 2021
William Herrin <bill at herrin.us> wrote:
>> > 3. Issue warning message that requires the customer to select and
>> set a > different password immediately.
>>
>> This seems like the best situation, but there are issues when this is
>> a password shared among a few operators. In particular, what we don't
>> want is for one person to be forced to change the password under
>> duress of getting their work done, and then picking another password
>> which they then email to their colleagues.
> Hi Michael,
> That's frankly an issue with the operator. Group authentication
> (password sharing) is forbidden by essentially every security standard
> in existence. Each individual is supposed to have their own account
> (authentication) which is then granted shared access (group access) to
> the organization's ARIN resources.
Right, so then certificates should not a problem, and this shouldn't be an
excuse, should it?
>> The alternative today should be TLS Client side certificates. There
>> are many operational complexicities in maintaining them, but given
>> that we web properties that have varieties of: 1) 2FA
> Client certificates are a form of 2FA. They're a "what you have"
> factor, same as a totp token or an email confirmation.
Yes, so why do support static passwords at all?
Why not just the token, or the TLS Client side certificate at ~2^128
for 2048-bit RSA?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210218/39c812b5/attachment.sig>
More information about the ARIN-consult
mailing list