I would like to thank everyone who provided valuable feedback during this consultation on improving the security of the ARIN Online system. Input provided by the community is a vital part of our planning processes at ARIN, and after reviewing responses to the consultation, we have determined an appropriate path forward.
The general consensus was that ARIN should change its password practices to better align with NIST SP800-63b guidelines for authentication security (as proposed in https://www.arin.net/participate/community/acsp/suggestions/2018/2018-22/) . This change will include checking proposed passwords against a list that contains values known to be compromised, and then notifying the user of the easily compromised nature of their proposed password if found in the list and requiring an alternate selection. The password selection will be updated to not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for ARIN Online passwords. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account. We will improve our login authentication process to include a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made against any single account over time and introduces CAPTCHA and incrementing timeout periods before allowing further attempts. Other future improvements include adding functionality to allow organizations to require two-factor authentication (2FA) for any user accounts connected to their organization. We will notify the community as these additional improvements are implemented. We will be implementing this improvement in phases, the first of which will be deployed in June when we will begin running this check when new accounts are created, when a user requests a password change, or when the system requires a password change. Thank you again to those who provided valuable feedback on this consultation. Regards, John Curran President and CEO American Registry for Internet Numbers _______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact [email protected] if you experience any issues.
