[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
virtu virtualabs
virtualabs at gmail.com
Tue Nov 8 13:26:54 CET 2011
If you are interested, I can provide you with a list of maintainers which have weak passwords :) As I said, there is a cracking job running on my side on the MD5(UNIX) hashes I grabbed earlier(by the way I apologize if this raised some errors or security warnings ...). Once done I also could provide you with exact figures regarding number of cracked hashes. On Tue, Nov 8, 2011 at 1:22 PM, Daniel Stolpe <stolpe at resilans.se> wrote: > > I agree. > > And maybe someone should set up john the ripper to crack some passwords > and contact the holders of the weakest ones. > > > On Tue, 8 Nov 2011, David Freedman wrote: > > I don't mind it continuing to be used over encrypted channels, >> as long as the hashes are not available to the general public (as per your >> previous mail) >> >> I would support a warning phase >> >> Dave. >> >> >> >> On 08/11/2011 11:56, "Shane Kerr" <shane at time-travellers.org> wrote: >> >> David, >>> >>> On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: >>> >>>> I'd like to see auth: MD5-PW deprecated , even though it seems to be >>>> widely used (for various reasons) >>>> according to the report by DB presented to us. >>>> >>> >>> I propose that we deprecate passwords over unencrypted channels. AFAIK >>> this just means e-mail today, although the web API stuff may also >>> provide an non-TLS option (I don't know). >>> >>> Unlike hiding MD5, this is a major change for users, and would need to >>> be done with the same caution and preparation as similar large changes >>> in the past. We could have a warning phase, where anyone using a >>> password in email would get a scary warning in the reply telling them to >>> use a more secure scheme (PGP, X.509, webupdates, or database web API). >>> The RIPE NCC could identify heavy users and help them convert their >>> tools. And eventually we could flip the switch and turn off plain text >>> passwords. >>> >>> -- >>> Shane >>> >>> >>> >> >> >> > > Daniel > > ______________________________**______________________________** > _____________________ > Daniel Stolpe Tel: 08 - 688 11 81 > stolpe at resilans.se > Resilans AB Fax: 08 - 55 00 21 63 > http://www.resilans.se/ > Box 13 054 > 556741-1193 > 103 02 Stockholm > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20111108/1187eae0/attachment.html>
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]