[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
owen at delong.com
Thu May 26 00:48:29 EDT 2022
> On May 25, 2022, at 21:25, Peter Beckman <beckman at angryox.com> wrote:
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
>> A good point… Obtaining and comparing against compromised password lists
>> is fairly trivial and provides computational low hanging fruit here.
>>> On May 25, 2022, at 10:15, Gary Buhrmaster <gary.buhrmaster at gmail.com> wrote:
>>> On Wed, May 25, 2022 at 3:41 PM Ross Tajvar <ross at tajvar.io> wrote:
>>>> .... And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one)
>>> As long as the passphrase is not "correcthorsebatterystaple"
>>> which is now in lists of well known compromised passwords.
>>> (obligatory xkcd ref: https://xkcd.com/936/ )
> Yet fails to address the future.
> Say you change your password today, and it does not match any currently
> disclosed passwords.
> And tomorrow there's a huge breach and disclosure, and your email and
> password is in there, and you use the same creds for ARIN (or anywhere).
> If the password is properly one-way encrypted, ARIN cannot detect that
> your password is now public (easily), and now your password is known
> to the public, and now your account, and therefore ARIN-managed assets,
> are at risk, UNLESS you have 2FA on your account.
Well… ARIN can’t detect that until your next (successful) login, anyway.
Remember, you present the plain text password to ARIN every time you
Authenticate... It is then one-way encrypted with the same seed and algorithm
As the stored one-way encrypted password and compared to the encrypted
> 2FA eliminates the risk of static data disclosure becoming a security
Until the particular seed/algo/etc. for the 2FA is compromised (such as a
Stolen hardware token, or the time when a batch of SecurID tokens were
Less frequent than password compromises? Sure. Sufficiently less frequent to be worth the inconvenience for securing something that isn’t a particularly attractive target? Not so sure.
More information about the ARIN-consult