[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Freedman
david.freedman at uk.clara.net
Tue Nov 8 12:58:48 CET 2011
I don't mind it continuing to be used over encrypted channels, as long as the hashes are not available to the general public (as per your previous mail) I would support a warning phase Dave. On 08/11/2011 11:56, "Shane Kerr" <shane at time-travellers.org> wrote: >David, > >On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: >> I'd like to see auth: MD5-PW deprecated , even though it seems to be >> widely used (for various reasons) >> according to the report by DB presented to us. > >I propose that we deprecate passwords over unencrypted channels. AFAIK >this just means e-mail today, although the web API stuff may also >provide an non-TLS option (I don't know). > >Unlike hiding MD5, this is a major change for users, and would need to >be done with the same caution and preparation as similar large changes >in the past. We could have a warning phase, where anyone using a >password in email would get a scary warning in the reply telling them to >use a more secure scheme (PGP, X.509, webupdates, or database web API). >The RIPE NCC could identify heavy users and help them convert their >tools. And eventually we could flip the switch and turn off plain text >passwords. > >-- >Shane > >
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]