[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
virtu virtualabs
virtualabs at gmail.com
Tue Nov 8 15:01:45 CET 2011
That would mean RIPE NCC did not do anything while people has been aware of this fact since 2 years ? On Tue, Nov 8, 2011 at 1:42 PM, Micha Borrmann <ripe at syss.de> wrote: > Am 08.11.2011 13:14, schrieb virtu virtualabs: > > > I agree the fact that grabbing all the existing maintainers hashes is > > completely feasible since I did it during previous days (in order to > > assess their strength, not to disclose them). I made some tests with the > > help of a friend of mine, and we recovered at least 4% of these > > passwords only by testing a very popular wordlist (rockyou), and the > > recovery process is still running. > > > > We were amazed to see how many maintainers use weak passwords to protect > > their datas, sometimes using their alias as a password. Therefore, I > > totally agree with David and would ask that some constraints should be > > added while creating MD5(UNIX) hashes through RIPE's website dedicated > > page (https://apps.db.ripe.net/crypt/). This webpage is also recommended > > by ARIN and modifying the way passwords are hashed (and checked ?) > > should be better for both RIPE NCC and ARIN. > > > > Telling people not to use twice a generated hash could also help a bit > > more ;) > > > > My goal is not to recover every possible password from public hashes but > > just demonstrate that it does not follow currently best-practices in > > term of security. > > This is an old story for myself. It was reported by the german magazin > "DER SPIEGEL" two years ago > (http://www.spiegel.de/spiegel/print/d-65243798.html). > > > On Tue, Nov 8, 2011 at 12:58 PM, David Freedman > > <david.freedman at uk.clara.net <mailto:david.freedman at uk.clara.net>> > wrote: > > > > I don't mind it continuing to be used over encrypted channels, > > as long as the hashes are not available to the general public (as > > per your > > previous mail) > > > > I would support a warning phase > > > > Dave. > > > > > > > > On 08/11/2011 11:56, "Shane Kerr" <shane at time-travellers.org > > <mailto:shane at time-travellers.org>> wrote: > > > > >David, > > > > > >On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: > > >> I'd like to see auth: MD5-PW deprecated , even though it seems to > be > > >> widely used (for various reasons) > > >> according to the report by DB presented to us. > > > > > >I propose that we deprecate passwords over unencrypted channels. > AFAIK > > >this just means e-mail today, although the web API stuff may also > > >provide an non-TLS option (I don't know). > > > > > >Unlike hiding MD5, this is a major change for users, and would need > to > > >be done with the same caution and preparation as similar large > changes > > >in the past. We could have a warning phase, where anyone using a > > >password in email would get a scary warning in the reply telling > > them to > > >use a more secure scheme (PGP, X.509, webupdates, or database web > API). > > >The RIPE NCC could identify heavy users and help them convert their > > >tools. And eventually we could flip the switch and turn off plain > text > > >passwords. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20111108/8e7f5df3/attachment.html>
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]