ACSP Suggestion 2020.16: Follow Rate Limiting (Throttling) Advice in NIST 800-63B Section 5.2.2 When Locking User Accounts
Submitted On: 28 October 2020
Description: ARIN Online should utilize the advice in NIST 800-63B in section “5.2.2 Rate Limiting (Throttling)” to avoid locking user accounts after 5 failed attempts. In addition to increasing the number attempts to something a little closer to the NIST suggested upper limit (of 100 failed attempts), consideration should be given to use of one or more of the suggested additional techniques that may reduce the likelihood that an attacker will lock the legitimate claimant out as a result of rate limiting (e.g. captcha completion before resuming and/or an increasing wait period after each failed attempts).
Value to Community:
- Elimination of a fairly trivial denial of service attack against ARIN Online users
- Avoidance of unnecessary calls to ARIN customer service
- Potential emergence of world peace due to Increased customer satisfaction with the ARIN Online login process
Timeframe: Not specified
Status: Open Updated: 03 December 2020
3 December 2020
Thank you for your recent suggestion, numbered 2020.16 upon receipt, requesting that we follow the rate limiting (throttling) advice in NIST 800-63B Section 5.2.2 when locking user accounts. We understand that the current practice of locking user accounts after a number of failed login attempts can sometimes result in legitimate users being locked out of their accounts.
ARIN will implement a series of password validations based on the NIST recommendations using a CAPTCHA and account locking periods that become longer as the number of failed login attempts increase. ARIN will work with its Registration Services Department (RSD) to determine a number of failed login attempts that will trigger a notification to RSD. This notification will alert RSD to contact the customer.
Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.