<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Feb 16, 2021, at 12:24 PM, William Herrin <<a href="mailto:bill@herrin.us" class="">bill@herrin.us</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>I strongly recommend implementing it rather</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">than trying to devise your own criteria. When 800-63 is properly</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">implemented, external password-guessing attacks are effectively</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">useless.</span></div></blockquote></div><br class=""><div class=""><br class=""></div><div class="">That has been in the suggestion box for over two years as "ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations". It's all in there in 800-63, account locking guidelines, password length and composition... I concur with Bill's suggestion that we not try to roll our own here.</div><div class=""><br class=""></div><div class="">Not opposed to querying with partial hashes (not "encrypted passwords") against haveibeenpwned, but if we demand passwords of at least 20 characters in length (not the bare minimum of 8 as specified in 800-63B 5.1.1.2) with no further requirements for special characters or rotation, I suspect in practice we will never see a match.</div><div class=""><br class=""></div><div class="">Note that either forcing longer passwords or the solution proffered in the original consultation can only be applied at password change time; neither can be applied retroactively to all passwords presently in the password store. Any deployment of a new policy should be accompanied by a forced password change for users so that the test can be made. To avoid annoying our constituency with multiple forced password changes, I'd rather not see this done iteratively - that is to say, we should figure out the plan and execute it once.</div><div class=""><br class=""></div><div class="">Allowing passwords that have been changed to a password of sufficient length to be subject to more relaxed account locking rules, or even none at all if MFA is enabled... could reduce staff costs associated with locked account recovery.</div><div class=""><br class=""></div><div class="">None of this will address system load associated with dictionary-based password guessing attacks; in fact, applying the more relaxed locking guidelines of 800-63 might make it worse.</div><div class=""><br class=""></div><div class="">-r</div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>