If you are interested, I can provide you with a list of maintainers which have weak passwords :)<div><br></div><div>As I said, there is a cracking job running on my side on the MD5(UNIX) hashes I grabbed earlier(by the way I apologize if this raised some errors or security warnings ...). Once done I also could provide you with exact figures regarding number of cracked hashes.</div>
<div><br></div><div><br><div class="gmail_quote">On Tue, Nov 8, 2011 at 1:22 PM, Daniel Stolpe <span dir="ltr"><<a href="mailto:stolpe@resilans.se">stolpe@resilans.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I agree.<br>
<br>
And maybe someone should set up john the ripper to crack some passwords and contact the holders of the weakest ones.<div><div class="h5"><br>
<br>
On Tue, 8 Nov 2011, David Freedman wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't mind it continuing to be used over encrypted channels,<br>
as long as the hashes are not available to the general public (as per your<br>
previous mail)<br>
<br>
I would support a warning phase<br>
<br>
Dave.<br>
<br>
<br>
<br>
On 08/11/2011 11:56, "Shane Kerr" <<a href="mailto:shane@time-travellers.org" target="_blank">shane@time-travellers.org</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
David,<br>
<br>
On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'd like to see auth: MD5-PW deprecated , even though it seems to be<br>
widely used (for various reasons)<br>
according to the report by DB presented to us.<br>
</blockquote>
<br>
I propose that we deprecate passwords over unencrypted channels. AFAIK<br>
this just means e-mail today, although the web API stuff may also<br>
provide an non-TLS option (I don't know).<br>
<br>
Unlike hiding MD5, this is a major change for users, and would need to<br>
be done with the same caution and preparation as similar large changes<br>
in the past. We could have a warning phase, where anyone using a<br>
password in email would get a scary warning in the reply telling them to<br>
use a more secure scheme (PGP, X.509, webupdates, or database web API).<br>
The RIPE NCC could identify heavy users and help them convert their<br>
tools. And eventually we could flip the switch and turn off plain text<br>
passwords.<br>
<br>
--<br>
Shane<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
<br></div></div>
Daniel<br>
<br>
______________________________<u></u>______________________________<u></u>_____________________<span class="HOEnZb"><font color="#888888"><br>
Daniel Stolpe Tel: 08 - 688 11 81 <a href="mailto:stolpe@resilans.se" target="_blank">stolpe@resilans.se</a><br>
Resilans AB Fax: 08 - 55 00 21 63 <a href="http://www.resilans.se/" target="_blank">http://www.resilans.se/</a><br>
Box 13 054 556741-1193<br>
103 02 Stockholm<br>
<br>
<br>
</font></span></blockquote></div><br></div>