[DBWG] Deprecating old password hashing methods

Michel ODOU michel.odou at afrinic.net
Mon Jan 16 12:10:36 UTC 2017 

Dear DBWG members,

Please note that starting from the next WHOIS release, bcrypt will be
the default password hashing method. Crypt and MD5 will be deprecated.

The "Services/IP Tools/WHOIS Crypt" page (*) on AFRINIC web site will be
updated and only bcrypt will available for password hashing. Note that
the mntner objects that have passwords encrypted with CRYPT or hashed
using MD5 will still be able to authenticate. However, for new passwords
or password updates, bcrypt will be the only choice.

Regards,
Michel

(*) https://afrinic.net/services/ip-tools/whoiscrypt

On 16/11/2016 05:38, Michel Odou wrote:
> Dear WG members,
> 
> The WHOIS currently allows 4 different ways to authenticate a maintainer:
> 
>  1. CRYPT-PW
>  2. MD5-PW
>  3. PGP
>  4. X509
> 
> Crypt is today completely obsolete and can be cracked by almost any
> computer. The MD5-hashed passwords are salted, which prevents the use of
> pre-computed lookup tables but with the hash and the salt, it is not
> impossible to retrieve the password. There are available databases with
> billions of pre-computed MD5 entries available on the Internet for free.
> 
> 96% of the mntner objects in the WHOIS DB use an MD5-hashed password and
> 2.4% still use CRYPT, which makes them vulnerable even if they also have
> a PGP or X509 authentication because the WHOIS will accept both
> authentication methods.
> 
> The idea here is to deprecate both CRYPT and MD5. Any MD5 or
> CRYPT-protected mntner object will still be allowed to authenticate
> using these schemes but they will not be available anymore to create a
> new password. In the meantime, we suggest adding a new method,
> BCRYPT-PW, which uses the more secure bcrypt algorithm with a high
> number of rounds. bcrypt is secure, resistant to rainbow table attacks
> and to brute-force attacks. For more information on Bcrypt, please read
> https://en.wikipedia.org/wiki/Bcrypt.
> 
> This woud at least provide a better algorithm for new mntner objects and
> for those that want to update their existing mntner objects. It does not
> however force people to update them. There are solutions for that
> (inviting people to update their objects/lock the mntner that have not
> been updated past a certain date/etc.) but I would like to have your
> feedback first.
> 
> Regards,
> Michel
> 
> 
> 
> 
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20170116/dc760874/attachment.sig>

More information about the DBWG mailing list