[DBWG] Deprecating old password hashing methods
Simon Seruyinda
simon at afrinic.net
Wed Jan 18 07:53:21 UTC 2017
Hello
thanks for the update process on whois.
To Afrinic training team : I think you should emphasize on PGP during
INRM training and include that page [1] on your slides.
I'm pretty sure they are less than 20 people in afrinic WHOIS database
who use PGP to auhenticate :)
However it's no so complicated after all as you may read here [2] .
1.
http://www.afrinic.net/en/library/membership-documents/212-pgp-authentication-supporting-document
2. https://labs.ripe.net/Members/AlexBand/pgp-in-the-ripe-database
Le 16/01/2017 à 13:10, Michel ODOU a écrit :
> Dear DBWG members,
>
> Please note that starting from the next WHOIS release, bcrypt will be
> the default password hashing method. Crypt and MD5 will be deprecated.
>
> The "Services/IP Tools/WHOIS Crypt" page (*) on AFRINIC web site will be
> updated and only bcrypt will available for password hashing. Note that
> the mntner objects that have passwords encrypted with CRYPT or hashed
> using MD5 will still be able to authenticate. However, for new passwords
> or password updates, bcrypt will be the only choice.
>
> Regards,
> Michel
>
> (*) https://afrinic.net/services/ip-tools/whoiscrypt
>
> On 16/11/2016 05:38, Michel Odou wrote:
>> Dear WG members,
>>
>> The WHOIS currently allows 4 different ways to authenticate a maintainer:
>>
>> 1. CRYPT-PW
>> 2. MD5-PW
>> 3. PGP
>> 4. X509
>>
>> Crypt is today completely obsolete and can be cracked by almost any
>> computer. The MD5-hashed passwords are salted, which prevents the use of
>> pre-computed lookup tables but with the hash and the salt, it is not
>> impossible to retrieve the password. There are available databases with
>> billions of pre-computed MD5 entries available on the Internet for free.
>>
>> 96% of the mntner objects in the WHOIS DB use an MD5-hashed password and
>> 2.4% still use CRYPT, which makes them vulnerable even if they also have
>> a PGP or X509 authentication because the WHOIS will accept both
>> authentication methods.
>>
>> The idea here is to deprecate both CRYPT and MD5. Any MD5 or
>> CRYPT-protected mntner object will still be allowed to authenticate
>> using these schemes but they will not be available anymore to create a
>> new password. In the meantime, we suggest adding a new method,
>> BCRYPT-PW, which uses the more secure bcrypt algorithm with a high
>> number of rounds. bcrypt is secure, resistant to rainbow table attacks
>> and to brute-force attacks. For more information on Bcrypt, please read
>> https://en.wikipedia.org/wiki/Bcrypt.
>>
>> This woud at least provide a better algorithm for new mntner objects and
>> for those that want to update their existing mntner objects. It does not
>> however force people to update them. There are solutions for that
>> (inviting people to update their objects/lock the mntner that have not
>> been updated past a certain date/etc.) but I would like to have your
>> feedback first.
>>
>> Regards,
>> Michel
>>
>>
>>
>>
>> _______________________________________________
>> DBWG mailing list
>> DBWG at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/dbwg
>>
>
>
>
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg
>
--
Willy Manga
freenode: ongolaBoy
Ubuntu Cameroonian Loco Team
https://launchpad.net/~manga-willy
_______________________________________________
DBWG mailing list
DBWG at afrinic.net
https://lists.afrinic.net/mailman/listinfo/dbwg
More information about the DBWG
mailing list