<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On May 25, 2022, at 08:41, Ross Tajvar <<a href="mailto:ross@tajvar.io" class="">ross@tajvar.io</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I remain unconvinced that inflicting 2FA on me solves a real problem that actually exists.</blockquote><div class="">I'm not sure why you (and others) seem to think 2FA is so incredibly inconvenient. In my experience, it only takes a few extra seconds, or a few extra clicks/taps depending on how it's set up. The added overhead really is very small.<br class=""></div></div></div></blockquote><div><br class=""></div>The added overhead is small if you are in an office with your cell phone handy.</div><div><br class=""></div><div>It’s less convenient if your cell phone isn’t handy (for a variety of reasons), and you’re trying to do something quickly without having to retrieve said phone.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Perhaps requiring better (non-dictionary) passwords on accounts that don’t have 2FA would be a solution more targeted at the actual problem.</blockquote><div class=""> How would ARIN judge the complexity of a password? As far as I'm aware, checking if it uses dictionary words is non-trivial. And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one) - I don't think it makes sense to penalize users for that.</div></div></div></blockquote><div><br class=""></div><div>Yes, sufficient length if just words (alpha only), or sufficient entropy if not long. </div></div><div><br class=""></div><div>Checking for dictionary words isn’t completely trivial, but it’s not particularly computationally difficult, either.</div><div><br class=""></div><div>Plenty of sites manage to do this.</div><div><br class=""></div><div>Owen</div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class=""><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult <<a href="mailto:arin-consult@arin.net" class="">arin-consult@arin.net</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On May 25, 2022, at 08:13 , Matt Harris <<a href="mailto:matt@netfire.net" target="_blank" class="">matt@netfire.net</a>> wrote:</div><br class=""><div class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" style="direction:ltr" class=""><table cellpadding="0" cellspacing="0" border="0" style="width:100%" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:20px 0px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;line-height:normal" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="center" style="vertical-align:middle" class=""><span id="gmail-m_-6238332889863864754cid:image541905.png@D2199BF4.3894BA8F" class=""><image541905.png></span></td><td align="left" style="vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:8px 0px 0px 16px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:0px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:0px 0px 2px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">Matt Harris<span style="font-family:remialcxesans;font-size:1px;color:rgb(255,255,255);line-height:1px" class=""></span></td><td align="left" style="vertical-align:top;font-size:0px" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="padding:0px 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">|</td></tr></tbody></table></td><td align="left" style="vertical-align:top;color:rgb(107,51,194);font-family:Calibri,Arial,sans-serif" class="">VP of Infrastructure</td></tr></tbody></table></td></tr></tbody></table></td></tr><tr style="font-size:0px" class=""><td align="left" style="padding:0px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:2px 0px 0px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">816‑256‑5446</td><td align="left" style="vertical-align:top;font-size:0px" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="padding:0px 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">|</td></tr></tbody></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">Direct</td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr style="font-size:0px" class=""><td align="left" style="vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:700;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="padding:0px;vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">Looking for help?</td></tr><tr style="font-size:0px" class=""><td align="left" style="padding:0px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:4px 0px 24px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(32,28,111);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif" class=""><span style="text-decoration:underline" class=""><a href="https://help.netfire.net/" id="gmail-m_-6238332889863864754LPlnk689713" title="Submit a ticket to our helpdesk!" style="text-decoration:underline;color:rgb(32,28,111)" target="_blank" class=""><strong style="font-weight:400" class="">Helpdesk</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0px" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;color:rgb(0,0,1);font-style:normal;font-weight:400;white-space:nowrap" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td align="left" style="padding:0px 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif" class="">|</td></tr></tbody></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif" class=""><span style="text-decoration:underline" class=""><a href="mailto:help@netfire.net" id="gmail-m_-6238332889863864754LPlnk689713" title="Send us an email!" style="text-decoration:underline;color:rgb(32,28,111)" target="_blank" class=""><strong style="font-weight:400" class="">Email Support</strong></a></span></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr style="font-size:0px" class=""><td align="left" style="vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:0px 0px 16px;vertical-align:top" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px;line-height:normal" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="left" style="padding:0px;vertical-align:top" class=""><img src="https://netfire.net/Flag-United-States-of-America.jpg" height="24" border="0" alt="" style="height: 24px; min-height: 24px; max-height: 24px; font-size: 0px;" class=""></td><td align="center" style="padding:0px;vertical-align:middle" class=""><table cellpadding="0" cellspacing="0" border="0" style="font-size:0px" class=""><tbody class=""><tr style="font-size:0px" class=""><td align="center" style="padding:0px 0px 0px 16px;vertical-align:middle" class=""><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:rgb(0,0,1);font-size:14.67px;font-family:Calibri,Arial,sans-serif;font-weight:400;font-style:normal;text-align:left" class=""><tbody class=""><tr style="font-size:14.67px" class=""><td style="font-family:Calibri,Arial,sans-serif" class="">We build customized end‑to‑end technology solutions powered by NetFire Cloud.</td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></div>On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <<a href="mailto:arin-consult@arin.net" target="_blank" class="">arin-consult@arin.net</a>> wrote:<br class=""></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I’m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful, but all forms of 2FA come with a variety of inconveniences.<br class="">
<br class="">
With an account that goes back to the beginnings of ARIN online, I’ve never had a security problem with my ARIN online account, so I think that 2FA is a solution looking for a problem here.<br class="">
<br class="">
I know that’s not a popular view among the more security conscious, but the reality is that security should be commensurate with what is being protected. Let users who think their account warrants such additional measures opt in. Let those of use who feel that our passwords are adequate continue in that manner.<br class="">
<br class="">
Owen<br class=""></blockquote><div class=""><br class=""></div><div class="">Owen,</div><div class="">The problem is that compromised ARIN accounts can result in issues that don't just impact the owner of the account that held those resources. Compromised ARIN accounts with resources can potentially adversely impact us all in terms of upticks in spam and the resulting management burdens, at the very least, and potentially in other (perhaps even thus far unforeseen) ways as well. </div></div></div></div></div></div></blockquote><div class=""><br class=""></div>I disagree… If my ARIN account is compromised, I’m going to get notified of any changes made. (So far, that hasn’t happened). I know exactly where to go to get those changes reverted quickly.</div><div class=""><br class=""></div><div class="">My account is associated with resources, but I remain unconvinced that inflicting 2FA on me solves a real problem that actually exists.</div><div class=""><br class=""><blockquote type="cite" class=""><div class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">I do agree with your statement "security should be commensurate with what is being protected." Thus, I would consider that we perhaps continue to allow accounts without control of any resources to continue without requiring 2fa, only requiring it when resources are allocated. An ARIN account with control of nothing, or perhaps just contact records for SWIP'd space, etc, is not one that is a huge hazard to the community at large imho compared to one that controls ASNs or IPv4 and IPv6 resources. </div></div></div></div></div></div></blockquote><div class=""><br class=""></div>Perhaps requiring better (non-dictionary) passwords on accounts that don’t have 2FA would be a solution more targeted at the actual problem.</div><div class=""><br class=""></div><div class="">Owen</div><div class=""><br class=""></div></div>_______________________________________________<br class="">
ARIN-Consult<br class="">
You are receiving this message because you are subscribed to the ARIN Consult Mailing<br class="">
List (<a href="mailto:ARIN-consult@arin.net" target="_blank" class="">ARIN-consult@arin.net</a>).<br class="">
Unsubscribe or manage your mailing list subscription at:<br class="">
<a href="https://lists.arin.net/mailman/listinfo/arin-consult" rel="noreferrer" target="_blank" class="">https://lists.arin.net/mailman/listinfo/arin-consult</a> Please contact the ARIN Member Services<br class="">
Help Desk at <a href="mailto:info@arin.net" target="_blank" class="">info@arin.net</a> if you experience any issues.<br class="">
</blockquote></div>
</div></blockquote></div><br class=""></body></html>