[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Peter Beckman
beckman at angryox.com
Thu May 26 00:25:23 EDT 2022
On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
> A good point… Obtaining and comparing against compromised password lists
> is fairly trivial and provides computational low hanging fruit here.
>
>> On May 25, 2022, at 10:15, Gary Buhrmaster <gary.buhrmaster at gmail.com> wrote:
>>
>> On Wed, May 25, 2022 at 3:41 PM Ross Tajvar <ross at tajvar.io> wrote:
>>
>>> .... And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one)
>>
>> As long as the passphrase is not "correcthorsebatterystaple"
>> which is now in lists of well known compromised passwords.
>>
>> (obligatory xkcd ref: https://xkcd.com/936/ )
Yet fails to address the future.
Say you change your password today, and it does not match any currently
disclosed passwords.
And tomorrow there's a huge breach and disclosure, and your email and
password is in there, and you use the same creds for ARIN (or anywhere).
If the password is properly one-way encrypted, ARIN cannot detect that
your password is now public (easily), and now your password is known
to the public, and now your account, and therefore ARIN-managed assets,
are at risk, UNLESS you have 2FA on your account.
2FA eliminates the risk of static data disclosure becoming a security
liability.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com https://www.angryox.com/
---------------------------------------------------------------------------
More information about the ARIN-consult
mailing list