<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dear WG members,<br>
<br>
The WHOIS currently allows 4 different ways to authenticate a
maintainer:<br>
<ol>
<li>CRYPT-PW<br>
</li>
<li>MD5-PW<br>
</li>
<li>PGP</li>
<li>X509<br>
</li>
</ol>
Crypt is today completely obsolete and can be cracked by almost any
computer. The MD5-hashed passwords are salted, which prevents the
use of pre-computed lookup tables but with the hash and the salt, it
is not impossible to retrieve the password. There are available
databases with billions of pre-computed MD5 entries available on the
Internet for free.<br>
<br>
96% of the mntner objects in the WHOIS DB use an MD5-hashed password
and 2.4% still use CRYPT, which makes them vulnerable even if they
also have a PGP or X509 authentication because the WHOIS will accept
both authentication methods.<br>
<br>
The idea here is to deprecate both CRYPT and MD5. Any MD5 or
CRYPT-protected mntner object will still be allowed to authenticate
using these schemes but they will not be available anymore to create
a new password. In the meantime, we suggest adding a new method,
BCRYPT-PW, which uses the more secure bcrypt algorithm with a high
number of rounds. bcrypt is secure, resistant to rainbow table
attacks and to brute-force attacks. For more information on Bcrypt,
please read <a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Bcrypt">https://en.wikipedia.org/wiki/Bcrypt</a>.<br>
<br>
This woud at least provide a better algorithm for new mntner objects
and for those that want to update their existing mntner objects. It
does not however force people to update them. There are solutions
for that (inviting people to update their objects/lock the mntner
that have not been updated past a certain date/etc.) but I would
like to have your feedback first.<br>
<br>
Regards,<br>
Michel<br>
<br>
<br>
</body>
</html>