<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I support option 3. <br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
Troy Hunt did a great job creating a reliable public service available as a RESTful API to easily call.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
However, I recommend ARIN considers the scenario of what occurs if HIBP is not responding. I would not recommend a reply to this email, because the details in the response could disclose an attack avenue.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
A failover path could exist with Troy's downloadable password list - haveibeenpwned [dot] com/Passwords<br>
It would require coding to parse the file and return the result back to the auth process, so additional overhead :-( </div>
<div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thank you,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<img class="EmojiInsert" style="font-family:"Times New Roman",serif; font-size:12pt; max-width:100%" data-outlook-trace="F:1|T:1" src="cid:5184eb3a-bd2a-4cf6-b5f9-2eeac8be9b72"><br>
</p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<br>
</p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<b><span style="font-family: Arial, sans-serif; color: rgb(0, 96, 160);">Joey White</span></b></p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<b><span style="font-size: 10pt; font-family: Arial, sans-serif; color: black;">Security Architect</span></b></p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<br>
</p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<span style="font-size: 10pt; font-family: Arial, sans-serif; color: gray;">Blue Cross and Blue Shield of Kansas</span></p>
<p style="margin:0in; font-size:12pt; font-family:"Times New Roman",serif; text-autospace:none">
<span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(82, 145, 239);">p:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: gray;"> 785-291-6471 |
</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(82, 145, 239);">w:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: gray;"> bcbsks.com</span></p>
</div>
</div>
</div>
</div>
<div>
<div id="appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size: 11pt;"><b>From:</b> ARIN-consult <arin-consult-bounces@arin.net> on behalf of ARIN <info@arin.net><br>
<b>Sent:</b> Tuesday, February 16, 2021 10:11 AM<br>
<b>To:</b> arin-consult@arin.net <arin-consult@arin.net><br>
<b>Subject:</b> [ARIN-consult] Consultation on Password Security for ARIN Online Accounts</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText">Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. Because of the protective measures currently in place, some customer accounts were locked during these attacks. ARIN
staff has been heavily engaged in mitigating these attacks, and we are seeking community feedback on potential steps ARIN can take to reduce the risk of future attacks and to help customers ensure they are using strong passwords. Password dictionary guessing
attacks continue to be a problem in the industry, and this effort should help reduce the extent of previously exposed passwords for our ARIN Online user base.<br>
<br>
Password Check Proposal<br>
<br>
To help ARIN customers make sure they aren’t using a password that has been exposed and shared publicly online, when someone updates their password or creates a user account in ARIN Online, it is proposed that ARIN should check the database "haveibeenpwned
(<a href=""></a>https://urldefense.proofpoint.com/v2/url?u=https-3A__haveibeenpwned.com&d=DwIGaQ&c=2xyLtJK-6wL-B01m9dqMd9CDbkL-hoZ5ifChpoVJRBA&r=RY5ZOoNF6CKUE-zbyE5VeisOFsxu2hSC5wQeuEurgH8&m=PU2-W-p9904eTkfY3ACK5_ghxyOjFaNw8mbBw2gV5ag&s=go6yhOEK4Eq6c6QNbL5HOl7CGYqHaCvL_QnHqB1U2W0&e=
)" to see if they are trying to use a password that has been compromised. ARIN will not send the password, but rather we encrypt the password and send part of the encrypted password to the Have I been Pwned (HIBP) Service (<a href=""></a>https://urldefense.proofpoint.com/v2/url?u=https-3A__haveibeenpwned.com_API_v3-23PwnedPasswords&d=DwIGaQ&c=2xyLtJK-6wL-B01m9dqMd9CDbkL-hoZ5ifChpoVJRBA&r=RY5ZOoNF6CKUE-zbyE5VeisOFsxu2hSC5wQeuEurgH8&m=PU2-W-p9904eTkfY3ACK5_ghxyOjFaNw8mbBw2gV5ag&s=dRts4JOWywHFUg2cbHvdUQYniNfopXH1NHinbg1Y7vQ&e=
) to see if it matches a compromised password. Actual passwords are never sent or used in any query, nor is your user ID or email shared as part of this check.<br>
<br>
How would it work?<br>
<br>
1. A user enters a password during Account Setup, Password Change, Password Reset or User Login in ARIN Online.
<br>
2. ARIN encrypts the password and sends part of the encrypted password to the Have I been Pwned (HIBP) Service (<a href=""></a>https://urldefense.proofpoint.com/v2/url?u=https-3A__haveibeenpwned.com_API_v3-23PwnedPasswords&d=DwIGaQ&c=2xyLtJK-6wL-B01m9dqMd9CDbkL-hoZ5ifChpoVJRBA&r=RY5ZOoNF6CKUE-zbyE5VeisOFsxu2hSC5wQeuEurgH8&m=PU2-W-p9904eTkfY3ACK5_ghxyOjFaNw8mbBw2gV5ag&s=dRts4JOWywHFUg2cbHvdUQYniNfopXH1NHinbg1Y7vQ&e=
) and returns all possible matches in their database. (Your actual password is never sent or used in any query.)
<br>
3. We compare the full encrypted password to the results sent by HIBP to see if there is a match.<br>
4. If there is a match we will notify the customer.<br>
<br>
Optional Outcomes<br>
<br>
We are interested in the community’s thoughts on the possible outcomes when we identify a password that has been exposed in a data breach according to the HIBP service. There are three options:<br>
<br>
1. Issue a caution message but allow the password.<br>
2. Issue a warning message and notify the customer that they need to change their password within a defined time period, but not at the current point of login.<br>
3. Issue warning message that requires the customer to select and set a different password immediately.<br>
<br>
The feedback you provide during this consultation will help inform how we move forward to increase security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process.
<br>
<br>
Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at:<br>
<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.arin.net_mailman_listinfo_arin-2Dconsult&d=DwIGaQ&c=2xyLtJK-6wL-B01m9dqMd9CDbkL-hoZ5ifChpoVJRBA&r=RY5ZOoNF6CKUE-zbyE5VeisOFsxu2hSC5wQeuEurgH8&m=PU2-W-p9904eTkfY3ACK5_ghxyOjFaNw8mbBw2gV5ag&s=b8QQ_dNrVsqb7_Grw4eHzqIVBNuFjmHagOR7cO2haE4&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.arin.net_mailman_listinfo_arin-2Dconsult&d=DwIGaQ&c=2xyLtJK-6wL-B01m9dqMd9CDbkL-hoZ5ifChpoVJRBA&r=RY5ZOoNF6CKUE-zbyE5VeisOFsxu2hSC5wQeuEurgH8&m=PU2-W-p9904eTkfY3ACK5_ghxyOjFaNw8mbBw2gV5ag&s=b8QQ_dNrVsqb7_Grw4eHzqIVBNuFjmHagOR7cO2haE4&e=</a>
<br>
<br>
This consultation will remain open through 5:00 PM ET on 16 March 2021. <br>
<br>
Regards,<br>
<br>
John Curran <br>
President and CEO <br>
American Registry for Internet Numbers (ARIN)<br>
</div>
</span></font></div>
</div>
<DIV>
_______________________________________________<BR>
CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message.<BR>
</DIV></body>
</html>