ACSP Consultation 2021.2 - Password Security for ARIN Online Accounts is now Closed
Posted: Tuesday, 06 April 2021
I would like to thank everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.
The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations).
This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection.
The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.
We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts.
Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented.
We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change.
Thank you again to those who provided valuable feedback on this consultation.
President and CEO
American Registry for Internet Numbers (ARIN)
- Consultation on Implementing Single Transferrable Voting for ARIN Elections
- New ARIN Mailing List for General Member Discussions
- Volunteer to Serve on the 2022 ARIN Fellowship Selection Committee
- Reminder--Retirement of ARIN Non-Authenticated IRR on 31 March 2022
- New ARIN Membership Structure for 2022
- New Features Added to ARIN Online
- ACSP Consultation 2021.6 — Community Consultation on Term Limits for ARIN Board of Trustees is Now Closed
- ARIN’s Log4j Zero-day Bug Vulnerability Review Results
- Support Added for Three TLS Version 1.3 Cipher Suites
- ARIN Governance Working Group Consultation Series
- » View Archive