CRYPT-PW Deprecation Project
To replace your old CRYPT-PW password, go to:
Table of Contents
3.1 Why have I received this e-mail?
3.2 I have forgotten my password. How do I recover it?
3.3 How do I update the RIPE Database?
3.4 Can I change my CRYPT-PW password to another authentication method?
3.5 What happens if I do nothing?
3.6 Can I keep the same password?
CRYPT-PW is an authentication method used in the "auth:" attributes of the maintainer and IRT objects. It relies on a method that originates from early UNIX systems. Currently, an average personal computer is capable of quickly and successfully cracking a CRYPT-PW encrypted password.
The RIPE Database is therefore vulnerable to these attacks. The protection provided by the CRYPT-PW authentication method is no longer considered to be adequate.
A discussion on this topic was held on the RIPE Database Working Group mailing list.
Some users thought that MD5-PW (the other password-based authentication used by the RIPE Database) is also vulnerable. It was suggested that a way to hide the encrypted password fields should be found. It was also recommended that all password-based authentications are deprecated in favour of PGP keys and X.509 certificates.
The CRYPT-PW project only deals with the deprecation of CRYPT-PW encrypted passwords.
The full discussion is available at:
At RIPE 53, the Database Working Group concluded that CRYPT-PW will be deprecated.
If you are interested in the decision-making process of the RIPE Database Working Group, you can join its mailing list.
To change your CRYPT-PW encrypted passwords to MD5-PW encrypted passwords follow the instructions at:
This can also be done manually by modifying your maintainer or IRT objects in the database.
The purpose of Phase 1 is to tell users about the upcoming change. No changes will be enforced in the RIPE Database during this phase. You can modify your maintainer or IRT objects from this date on.
Note: The notifications will be sent on Thursday, 30 November 2006.
Phase 2 is intended as a transition period for users to become accustomed to the new conditions. The transition period will run from Wednesday, 10 January 2007 until Wednesday, 21 February 2007.
During this period the following will apply:
- Any modification to a maintainer or IRT object that adds a new CRYPT-PW authentication will be rejected
- Any modification to a maintainer or IRT object that attempts to replace a CRYPT-PW with another CRYPT-PW will be rejected
- Any object creations that include a CRYPT-PW authentication will be rejected
- The RIPE Database will add a warning to the acknowledgement message if CRYPT-PW is used during authentication
- The RIPE Database will add a warning to the acknowledgement message if a modified maintainer or IRT object still contains existing CRYPT-PW authentication
A reminder e-mail will be sent at the end of the Phase 2 to all users who have not replaced their CRYPT-PW authentication with an alternative method.
Note: These changes will not take effect before Wednesday, 10 January 2007.
During this phase you can still use your existing password to authenticate any changes to your existing objects in the RIPE Database. This will not interrupt your work processes at this phase.
After the Phase 2 transition period, Phase 3 will remove CRYPT-PW support from the RIPE Database. On Wednesday, 21 February 2007, the following changes will apply:
- CRYPT-PW will be removed from the syntax and as an authentication option
- CRYPT-PW "auth:" attributes will be removed from maintainer and IRT objects
If a maintainer or IRT object has another authentication method besides CRYPT-PW, the "auth:" attributes containing CRYPT-PW will be changed to "remarks:" attributes. The following extra "remarks:" attributes will be added:
remarks: Your object was modified due to CRYPT-PW deprecation
remarks: See http://www.ripe.net/db/support/security/crypt-pw_deprecation/ for details
If a maintainer or IRT object still has only CRYPT-PW authentication on Wednesday, 21 February 2007 the "auth:" attributes will be changed to "remarks:" attributes. A new "auth:" attribute will be added with a randomly generated MD5-PW authenticated password. This will lock your object preventing further changes until you change this password.
It will still be possible to set a new MD5-PW password by using one of the old CRYPT-PW passwords and following the instructions at:
A notification of this change will be sent to all users who have not changed their CRYPT-PW to another method of authentication.
Note: These changes will not take effect before Wednesday, 21 February 2007.
If you have not made the changes by this date, there may interruption to your work processes until you make the authentication changes necessary to unlock your objects.
At the end of the CRYPT-PW deprecation project the web form will still be available for three years at:
You can use it to replace your removed CRYPT-PW passwords with MD5-PW.
You can request assistance by sending an e-mail to: ripe-dbm _at_ ripe _dot_ net
You have received a notification because your e-mail address was given as a contact address for a company’s Internet-related matters. If you are not the right person to receive this notification please forward it to the appropriate colleague.
To recover your lost or forgotten password you must go through the standard recovery procedure.
You can update your details in the RIPE Database by following the 'RIPE Database Getting Started' manual.
Yes, you can also use PGP or X.509. You can change your authentication from CRYPT-PW directly to one of these. You do not need to change it to MD5-PW.
More information on these alternative methods:
You can still work uninterrupted until 21 February 2007. After that date your objects will be locked if you only have CRYPT-PW authentication.
If you currently have other forms of authentication as well as CRYPT-PW, only your CRYPT-PW passwords will become ineffective after that date. Your other authentication methods will not be changed.
Yes, you can encrypt your current CRYPT-PW password with the MD5-PW encyption method.
This may be a good moment to change your password if you have had the same one for a long time.
Thursday, 30 November 2006
Wednesday, 10 January 2007
Reject new CRYPT-PW
Wednesday, 21 February 2007
Remove CRYPT-PW from RIPE Database