[DBWG] Deprecating old password hashing methods
Michel Odou
michel.odou at afrinic.net
Wed Nov 16 01:38:41 UTC 2016
Dear WG members,
The WHOIS currently allows 4 different ways to authenticate a maintainer:
1. CRYPT-PW
2. MD5-PW
3. PGP
4. X509
Crypt is today completely obsolete and can be cracked by almost any
computer. The MD5-hashed passwords are salted, which prevents the use of
pre-computed lookup tables but with the hash and the salt, it is not
impossible to retrieve the password. There are available databases with
billions of pre-computed MD5 entries available on the Internet for free.
96% of the mntner objects in the WHOIS DB use an MD5-hashed password and
2.4% still use CRYPT, which makes them vulnerable even if they also have
a PGP or X509 authentication because the WHOIS will accept both
authentication methods.
The idea here is to deprecate both CRYPT and MD5. Any MD5 or
CRYPT-protected mntner object will still be allowed to authenticate
using these schemes but they will not be available anymore to create a
new password. In the meantime, we suggest adding a new method,
BCRYPT-PW, which uses the more secure bcrypt algorithm with a high
number of rounds. bcrypt is secure, resistant to rainbow table attacks
and to brute-force attacks. For more information on Bcrypt, please read
https://en.wikipedia.org/wiki/Bcrypt.
This woud at least provide a better algorithm for new mntner objects and
for those that want to update their existing mntner objects. It does not
however force people to update them. There are solutions for that
(inviting people to update their objects/lock the mntner that have not
been updated past a certain date/etc.) but I would like to have your
feedback first.
Regards,
Michel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20161116/725f3bf7/attachment.html>
More information about the DBWG
mailing list