ACSP Consultation 2021.2: Password Security for ARIN Online Accounts

Consultation Tracking Information

  • Requested By: Staff
  • Status: Closed
  • Comments Opened: Linked to Discussion Archives: 16 February 2021
  • Comments Closed: 16 March 2021
  • Suggestion Number: n/a

Consultation Description

Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. Because of the protective measures currently in place, some customer accounts were locked during these attacks. ARIN staff has been heavily engaged in mitigating these attacks, and we are seeking community feedback on potential steps ARIN can take to reduce the risk of future attacks and to help customers ensure they are using strong passwords. Password dictionary guessing attacks continue to be a problem in the industry, and this effort should help reduce the extent of previously exposed passwords for our ARIN Online user base.

Password Check Proposal

To help ARIN customers make sure they aren’t using a password that has been exposed and shared publicly online, when someone updates their password or creates a user account in ARIN Online, it is proposed that ARIN should check the database “haveibeenpwned (https://haveibeenpwned.com)” to see if they are trying to use a password that has been compromised. ARIN will not send the password, but rather we encrypt the password and send part of the encrypted password to the Have I been Pwned (HIBP) Service (https://haveibeenpwned.com/API/v3#PwnedPasswords) to see if it matches a compromised password. Actual passwords are never sent or used in any query, nor is your user ID or email shared as part of this check.

How would it work?

  1. A user enters a password during Account Setup, Password Change, Password Reset or User Login in ARIN Online.
  2. ARIN encrypts the password and sends part of the encrypted password to the Have I been Pwned (HIBP) Service (https://haveibeenpwned.com/API/v3#PwnedPasswords) and returns all possible matches in their database. (Your actual password is never sent or used in any query.)
  3. We compare the full encrypted password to the results sent by HIBP to see if there is a match.
  4. If there is a match we will notify the customer.

Optional Outcomes

We are interested in the community’s thoughts on the possible outcomes when we identify a password that has been exposed in a data breach according to the HIBP service. There are three options:

  1. Issue a caution message but allow the password.
  2. Issue a warning message and notify the customer that they need to change their password within a defined time period, but not at the current point of login.
  3. Issue warning message that requires the customer to select and set a different password immediately.

The feedback you provide during this consultation will help inform how we move forward to increase security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process.

Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at:

http://lists.arin.net/mailman/listinfo/arin-consult

This consultation will remain open through 5:00 PM ET on 16 March 2021.

ARIN Actions

ARIN thanks everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.

The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations).

This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection.

The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.

We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts.

Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented.

We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change.

Thank you again to those who provided valuable feedback on this consultation.

Related