[db-wg] Hiding MD5 hashes from users, was MD5 Hashes in the database

David,

On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote:
> Until we can stop it being used completely, I'd like the hashes
> removed from the database, since they are sitting out there
> waiting to be bruteforced, at which point somebody takes malicious
> control of the resources protected by your mntner.
>
> I understand the challenge of hiding the field from display is that it
> must be present when changing or deleting objects , but
> since it only appears to be in mntners, I'm sure an exception could be
> made, considering the seriousness of this.

So this smaller problem statement is that we have the crypted versions
of the passwords visible for all to see/hack.

Note that while these passwords are not visible in the downloaded
versions of the maintainer files, it is straightforward to convert those
maintainer identifiers into WHOIS queries and get the passwords (it only
takes a few weeks, even from a single rate-limited IP address). Even if
we hide the maintainer files completely, it will still be possible to
get a list of "interesting" maintainers from the actual number
assignments, since each of those has a maintainer.

So, yes, visible passwords are a problem.

I support filtering mntner objects so that MD5-PW strings are hidden:

auth:           MD5-PW # password filtered for security

I agree that if it causes problems with updates to mntner objects, that
this can be resolved somehow, through the magic of software. 

--
Shane