ACSP Suggestion 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations

Suggestion

Author: Robert Seastrom   
Submitted On: 06 October 2018

Description:

Align ARIN password policy with current NIST SP800-63 recommendations (published June 2017)

Executive summary at https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd

TL;DR - a long passphrase with no special characters or capitalization is far more secure than a p4SSw0rD&!!

Value to Community: Improved security.

Timeframe: Not specified

Status: Closed   Updated: 08 June 2021

Tracking Information

ARIN Comment

19 October 2018

Thank you for your suggestion, numbered 2018.22 upon confirmed receipt, requesting alignment of ARIN password policy with current NIST SP800-63 recommendations, as published in June 2017.

We agree with your suggestion and will make this change to our systems. Our development schedule for the 2018 year is currently filled by previously-submitted community suggestions and other system improvements. We will consider this suggestion, together with other community suggestions requesting enhancements to ARIN Online, for possible inclusion into our 2019 work plan.

Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.

8 June 2021

Thank you for your suggestion, numbered 2018.22 on confirmed receipt, requesting alignment of ARIN password policy with current NIST SP800-63 recommendations, as published in June 2017.

As requested in your suggestion and discussed in ACSP Consultation 2021.2: Password Security for ARIN Online Accounts, we have changed our password practices to align with recommendations in NIST SP800-63. These changes include checking proposed passwords against a list that contains values known to be compromised and, if the proposed password is potentially compromised, notifying the user to choose a different password. In addition, requirements have been updated to enforce a password length between 12 to 64 characters and prevent use of a username or the word “arin” in the password. These password practices will apply when new accounts are created, when a user requests a password change, or when the system requires a password change. ARIN Online does not require account passwords to be changed arbitrarily (e.g., periodically), however, it will force a password change if there is evidence of compromise of the user account.

Because this work is completed, we are closing this suggestion. Thank you for participating in the ARIN Consultation and Suggestion Process.