ACSP Consultation 2021.2 - Password Security for ARIN Online Accounts is now Closed
Posted: Tuesday, 06 April 2021
ACSP/Surveys
I would like to thank everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.
The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations).
This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection.
The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.
We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts.
Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented.
We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change.
Thank you again to those who provided valuable feedback on this consultation.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- Now Closed – Consultation on RPKI/IRR
- New ARIN Fee Schedule to Be Implemented on 1 January 2024
- NRPM 2023.2 - New Policies Implemented
- The 2023 Slate of Candidates for ARIN Elections
- Congratulations to the ARIN 52 Selected Fellows
- RPKI/IRR Consultation Extended Until 20 September
- Congratulations to the 2023 ARIN Community Grant Recipients
- ARIN on the Road Is Headed to Rochester, NY!
- RPKI/IRR Consultation Reminder and Update
- Deadline Approaching — Make Sure Your Organization is Eligible to Vote in ARIN’s Upcoming Election!
- » View Archive