This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Hiding MD5 hashes from users, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Shane Kerr
shane at time-travellers.org
Tue Nov 8 12:49:51 CET 2011
David, On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: > Until we can stop it being used completely, I'd like the hashes > removed from the database, since they are sitting out there > waiting to be bruteforced, at which point somebody takes malicious > control of the resources protected by your mntner. > > I understand the challenge of hiding the field from display is that it > must be present when changing or deleting objects , but > since it only appears to be in mntners, I'm sure an exception could be > made, considering the seriousness of this. So this smaller problem statement is that we have the crypted versions of the passwords visible for all to see/hack. Note that while these passwords are not visible in the downloaded versions of the maintainer files, it is straightforward to convert those maintainer identifiers into WHOIS queries and get the passwords (it only takes a few weeks, even from a single rate-limited IP address). Even if we hide the maintainer files completely, it will still be possible to get a list of "interesting" maintainers from the actual number assignments, since each of those has a maintainer. So, yes, visible passwords are a problem. I support filtering mntner objects so that MD5-PW strings are hidden: auth: MD5-PW # password filtered for security I agree that if it causes problems with updates to mntner objects, that this can be resolved somehow, through the magic of software. -- Shane
- Previous message (by thread): [db-wg] MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]