[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Michael Richardson mcr at sandelman.ca
Thu Feb 18 14:18:06 EST 2021


William Herrin <bill at herrin.us> wrote:
    >> > 3.  Issue warning message that requires the customer to select and
    >> set a > different password immediately.
    >>
    >> This seems like the best situation, but there are issues when this is
    >> a password shared among a few operators.  In particular, what we don't
    >> want is for one person to be forced to change the password under
    >> duress of getting their work done, and then picking another password
    >> which they then email to their colleagues.

    > Hi Michael,

    > That's frankly an issue with the operator. Group authentication
    > (password sharing) is forbidden by essentially every security standard
    > in existence. Each individual is supposed to have their own account
    > (authentication) which is then granted shared access (group access) to
    > the organization's ARIN resources.

Right, so then certificates should not a problem, and this shouldn't be an
excuse, should it?

    >> The alternative today should be TLS Client side certificates.  There
    >> are many operational complexicities in maintaining them, but given
    >> that we web properties that have varieties of: 1) 2FA

    > Client certificates are a form of 2FA. They're a "what you have"
    > factor, same as a totp token or an email confirmation.

Yes, so why do support static passwords at all?
Why not just the token, or the TLS Client side certificate at ~2^128
for 2048-bit RSA?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210218/39c812b5/attachment.sig>


More information about the ARIN-consult mailing list