[DBWG] Deprecating old password hashing methods

Michel Odou michel.odou at afrinic.net
Wed Nov 16 01:38:41 UTC 2016

Dear WG members,

The WHOIS currently allows 4 different ways to authenticate a maintainer:

 2. MD5-PW
 3. PGP
 4. X509

Crypt is today completely obsolete and can be cracked by almost any 
computer. The MD5-hashed passwords are salted, which prevents the use of 
pre-computed lookup tables but with the hash and the salt, it is not 
impossible to retrieve the password. There are available databases with 
billions of pre-computed MD5 entries available on the Internet for free.

96% of the mntner objects in the WHOIS DB use an MD5-hashed password and 
2.4% still use CRYPT, which makes them vulnerable even if they also have 
a PGP or X509 authentication because the WHOIS will accept both 
authentication methods.

The idea here is to deprecate both CRYPT and MD5. Any MD5 or 
CRYPT-protected mntner object will still be allowed to authenticate 
using these schemes but they will not be available anymore to create a 
new password. In the meantime, we suggest adding a new method, 
BCRYPT-PW, which uses the more secure bcrypt algorithm with a high 
number of rounds. bcrypt is secure, resistant to rainbow table attacks 
and to brute-force attacks. For more information on Bcrypt, please read 

This woud at least provide a better algorithm for new mntner objects and 
for those that want to update their existing mntner objects. It does not 
however force people to update them. There are solutions for that 
(inviting people to update their objects/lock the mntner that have not 
been updated past a certain date/etc.) but I would like to have your 
feedback first.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20161116/725f3bf7/attachment.html>

More information about the DBWG mailing list