Dear Database Working Group Members, Shane, Chris, Daniel - thanks for your proposals. As for my understanding on the proposals, it is technically possible to force users to change their passwords or to encourage them using a stronger authentication method. Also, there seems to be a resistance on migrating the hashing algorithm. On the other hand, I am concerned MD5 hashes are prone to collision attacks from a security perspective. MD5 is an obsolete now. It is rather recommended to use another cryptography hashing algorithm to encrypt passwords. Now, as Shane stated in his interesting post, long transition times don't really make much difference and the situation can be fixed with a workaround by advocating XX days to fix the credentials by showing a warning in whois output. But this doesn't affect the hashing algorithm which is prone to collision attacks. What are members' views on this? Regards, On 5/21/15, Daniel Suchy <danny@danysek.cz> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 20.5.2015 20:29, Christiaan Ottow wrote:
I agree, but does somebody see what impact it has to lock the maintainers that don’t update their passwords? How do we get them out of the locked state again?
There's procedure for lost MNTNER password recovery, I think this is enough even for these cases... :-)
https://apps.db.ripe.net/change-auth/#/
- -Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJVXPDBAAoJEKa4QYLLxXGSzxkP/25McuP6Wr3v65m9JgZ/1doc 6QmJixoDNC58vUNKLscFL0/6lpzLWgpjbbzx/4ZzQ9u9yKFifS437Dg9cSapIapQ lU2ZCxW7K0w3LZBHjwISHfCt4ru4W0x+IKxN03iOqA5dLRQFGtG1DsIAhr1Axl5x ViAs985GqMXBPC06mHfAhD+pjmht3bnGKMUsU6qcQ4cRyuId/QOCFF4tsjSqoFT3 dJsMqc4SCg2Whu1d0oU70cS2k8s5aVL2MTmHYTtMxFZC1lN7zlo0N85pCPFict0K mOwCwSsQq1RSqNSmwXrBnbvEkik4jxEkhd7uhzqKFXe/EI5h5K3s7I7KDO2T+Y99 SFoa5jZkqYw0dsKjYLduO9MlCZyzhFA9CHEcYVpojVpPZpj5RQ48bFmsLBo56wNO Yn0gPmcPbreXfphY4gfrl0MihRHPI9Dwm3Z2jtFh0F3i/GjrML2Q3qvYnXyTxfJw ViwOVldN5MxtgnEdh08jVjBHb7LIIXPtrRakc7P4Yaxq3zEkXWTx/IOdtEXpUCqX tDieNhsGu0L7gTtEOW9P6XB8pxtp4ZX0zcm8N4zqFN2MMjjo1wK91v3tKJUVtNSn Xzp72Ii3qT+kmj/EiU+TxsjkPvLyVZU6sOMD+3+s3dcjK/9VNheI/wKmQd5pxHCL oMYcxbqPJCG+ukyD9Iy4 =MoPX -----END PGP SIGNATURE-----
-- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/