This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
virtu virtualabs
virtualabs at gmail.com
Tue Nov 8 15:01:45 CET 2011
That would mean RIPE NCC did not do anything while people has been aware of this fact since 2 years ? On Tue, Nov 8, 2011 at 1:42 PM, Micha Borrmann <ripe at syss.de> wrote: > Am 08.11.2011 13:14, schrieb virtu virtualabs: > > > I agree the fact that grabbing all the existing maintainers hashes is > > completely feasible since I did it during previous days (in order to > > assess their strength, not to disclose them). I made some tests with the > > help of a friend of mine, and we recovered at least 4% of these > > passwords only by testing a very popular wordlist (rockyou), and the > > recovery process is still running. > > > > We were amazed to see how many maintainers use weak passwords to protect > > their datas, sometimes using their alias as a password. Therefore, I > > totally agree with David and would ask that some constraints should be > > added while creating MD5(UNIX) hashes through RIPE's website dedicated > > page (https://apps.db.ripe.net/crypt/). This webpage is also recommended > > by ARIN and modifying the way passwords are hashed (and checked ?) > > should be better for both RIPE NCC and ARIN. > > > > Telling people not to use twice a generated hash could also help a bit > > more ;) > > > > My goal is not to recover every possible password from public hashes but > > just demonstrate that it does not follow currently best-practices in > > term of security. > > This is an old story for myself. It was reported by the german magazin > "DER SPIEGEL" two years ago > (http://www.spiegel.de/spiegel/print/d-65243798.html). > > > On Tue, Nov 8, 2011 at 12:58 PM, David Freedman > > <david.freedman at uk.clara.net <mailto:david.freedman at uk.clara.net>> > wrote: > > > > I don't mind it continuing to be used over encrypted channels, > > as long as the hashes are not available to the general public (as > > per your > > previous mail) > > > > I would support a warning phase > > > > Dave. > > > > > > > > On 08/11/2011 11:56, "Shane Kerr" <shane at time-travellers.org > > <mailto:shane at time-travellers.org>> wrote: > > > > >David, > > > > > >On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: > > >> I'd like to see auth: MD5-PW deprecated , even though it seems to > be > > >> widely used (for various reasons) > > >> according to the report by DB presented to us. > > > > > >I propose that we deprecate passwords over unencrypted channels. > AFAIK > > >this just means e-mail today, although the web API stuff may also > > >provide an non-TLS option (I don't know). > > > > > >Unlike hiding MD5, this is a major change for users, and would need > to > > >be done with the same caution and preparation as similar large > changes > > >in the past. We could have a warning phase, where anyone using a > > >password in email would get a scary warning in the reply telling > > them to > > >use a more secure scheme (PGP, X.509, webupdates, or database web > API). > > >The RIPE NCC could identify heavy users and help them convert their > > >tools. And eventually we could flip the switch and turn off plain > text > > >passwords. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/db-wg/attachments/20111108/8e7f5df3/attachment.html>
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]