ACSP Consultation 2021.2 - Password Security for ARIN Online Accounts is now Closed

Posted: Tuesday, 06 April 2021

I would like to thank everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.

The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations).

This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection.

The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.

We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts.

Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented.

We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change.

Thank you again to those who provided valuable feedback on this consultation.


John Curran
President and CEO
American Registry for Internet Numbers (ARIN)