[DBWG] Deprecating old password hashing methods

Simon Seruyinda simon at afrinic.net
Wed Jan 18 07:53:21 UTC 2017


thanks for the update process on whois.

To Afrinic training team :  I think you should emphasize on PGP during
INRM training and include that page [1] on your slides.

I'm pretty sure they are less than 20 people in afrinic WHOIS database
who use PGP to auhenticate :)
However it's no so complicated after all as you may read here [2] .


2. https://labs.ripe.net/Members/AlexBand/pgp-in-the-ripe-database

Le 16/01/2017 à 13:10, Michel ODOU a écrit :
> Dear DBWG members,
> Please note that starting from the next WHOIS release, bcrypt will be
> the default password hashing method. Crypt and MD5 will be deprecated.
> The "Services/IP Tools/WHOIS Crypt" page (*) on AFRINIC web site will be
> updated and only bcrypt will available for password hashing. Note that
> the mntner objects that have passwords encrypted with CRYPT or hashed
> using MD5 will still be able to authenticate. However, for new passwords
> or password updates, bcrypt will be the only choice.
> Regards,
> Michel
> (*) https://afrinic.net/services/ip-tools/whoiscrypt
> On 16/11/2016 05:38, Michel Odou wrote:
>> Dear WG members,
>> The WHOIS currently allows 4 different ways to authenticate a maintainer:
>> 1. CRYPT-PW
>> 2. MD5-PW
>> 3. PGP
>> 4. X509
>> Crypt is today completely obsolete and can be cracked by almost any
>> computer. The MD5-hashed passwords are salted, which prevents the use of
>> pre-computed lookup tables but with the hash and the salt, it is not
>> impossible to retrieve the password. There are available databases with
>> billions of pre-computed MD5 entries available on the Internet for free.
>> 96% of the mntner objects in the WHOIS DB use an MD5-hashed password and
>> 2.4% still use CRYPT, which makes them vulnerable even if they also have
>> a PGP or X509 authentication because the WHOIS will accept both
>> authentication methods.
>> The idea here is to deprecate both CRYPT and MD5. Any MD5 or
>> CRYPT-protected mntner object will still be allowed to authenticate
>> using these schemes but they will not be available anymore to create a
>> new password. In the meantime, we suggest adding a new method,
>> BCRYPT-PW, which uses the more secure bcrypt algorithm with a high
>> number of rounds. bcrypt is secure, resistant to rainbow table attacks
>> and to brute-force attacks. For more information on Bcrypt, please read
>> https://en.wikipedia.org/wiki/Bcrypt.
>> This woud at least provide a better algorithm for new mntner objects and
>> for those that want to update their existing mntner objects. It does not
>> however force people to update them. There are solutions for that
>> (inviting people to update their objects/lock the mntner that have not
>> been updated past a certain date/etc.) but I would like to have your
>> feedback first.
>> Regards,
>> Michel
>> _______________________________________________
>> DBWG mailing list
>> DBWG at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/dbwg
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg

Willy Manga
freenode: ongolaBoy
Ubuntu Cameroonian Loco Team

DBWG mailing list
DBWG at afrinic.net

More information about the DBWG mailing list