ACSP Consultation 2021.2 - Password Security for ARIN Online Accounts is now Closed
Posted: Tuesday, 06 April 2021
ACSP/Surveys
I would like to thank everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.
The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations).
This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection.
The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.
We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts.
Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented.
We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change.
Thank you again to those who provided valuable feedback on this consultation.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- Results of Consultation on Expanding 2FA Options in ARIN Online
- Annual Fee Cap for New LRSA Entrants Ending 31 December 2023
- Congratulations to the ARIN 51 Selected Fellows
- NRPM 2023.1 - New Policies Implemented
- Now Closed – Consultation on Offering ARIN Content in Multiple Languages
- New Features Added to ARIN Online
- LRSA Information for Governmental Entities/Institutions
- Bram Abramson Resigns from ARIN Board of Trustees
- Now Closed – Consultation on Expanding 2FA Options for ARIN Online
- Specified Transfer Listing Service (STLS) Update
- » View Archive