[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Thu May 26 00:25:23 EDT 2022


On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:

> A good point… Obtaining and comparing against compromised password lists
> is fairly trivial and provides computational low hanging fruit here.
>
>> On May 25, 2022, at 10:15, Gary Buhrmaster <gary.buhrmaster at gmail.com> wrote:
>> 
>> On Wed, May 25, 2022 at 3:41 PM Ross Tajvar <ross at tajvar.io> wrote:
>> 
>>> .... And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one)
>> 
>> As long as the passphrase is not "correcthorsebatterystaple"
>> which is now in lists of well known compromised passwords.
>> 
>> (obligatory xkcd ref: https://xkcd.com/936/ )


  Yet fails to address the future.

  Say you change your password today, and it does not match any currently
  disclosed passwords.

  And tomorrow there's a huge breach and disclosure, and your email and
  password is in there, and you use the same creds for ARIN (or anywhere).

  If the password is properly one-way encrypted, ARIN cannot detect that
  your password is now public (easily), and now your password is known
  to the public, and now your account, and therefore ARIN-managed assets,
  are at risk, UNLESS you have 2FA on your account.

  2FA eliminates the risk of static data disclosure becoming a security
  liability.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------


More information about the ARIN-consult mailing list