Dear working group, The RIPE NCC has been working together with the chairs on an initial implementation plan to deal with this issue. In a nutshell we will encourage (and facilitate) users to update their old passwords or migrate to SSO or PGP starting 29 June, before removing these passwords altogether on 13 July. Regardless of whether the password hashes will be disclosed after the 90 days disclosure period that was communicated to us earlier, we feel that we cannot postpone this given the public exposure this problem has recently had in this working group. The working group is of course more than welcome to discuss further enhancements in addition to these measures. Such as: changing the hashing algorithm, password ageing, or even deprecating passwords altogether. And if and when consensus is reached on any of those issues, we can plan an implementation. The plan in more detail: 1) Encourage users to update their passwords a) Facilitate updating passwords We will deploy a simple web form next week that allows a user to update an existing password simply by entering the maintainer, the old password, and the new password (twice to catch typos). While it is technically possible to achieve this using web updates today, it's sufficiently involved to discourage most users of the database. b) Encourage users to use more secure authentication mechanisms We have updated the documentation with recommendations on which authentication mechanism to use. In short we encourage the use of SSO accounts for web updates, and PGP signing for sync and mail updates: https://www.ripe.net/manage-ips-and-asns/db/support/security/protecting-data c) Alert active maintainers On Monday 29 June we will send out warning emails to active maintainers (used to create or update objects during the last 12 months) that have old, pre November 2011, passwords. We will explain the situation and encourage these maintainers to update their passwords using the tool above, or start using PGP or SSO instead as described in the documentation. d) Alert other users We will also send out a general announcement about this issue. 2) Remove old passwords We will remove ALL old passwords on Monday 13 July. Note that we do not plan to contact inactive maintainers individually beforehand, or send notifications about this change. Instead we will include a remark in these maintainers explaining why these maintainers were locked and refer to the "forgot mntner password process": https://apps.db.ripe.net/change-auth The reason for this is simple. We are simply not able to handle the additional load of supporting password resets for 20,000 inactive maintainers. We can and will however, deal with access recovery requests for these maintainer as needed. Kind regards, Tim Bruijnzeels Assistant Manager Software Engineering RIPE NCC
On 16 Jun 2015, at 22:46, Pierre Kim <pierre.kim.sec@gmail.com> wrote:
Dear Database Working Group Members,
Shane, Chris, Daniel - thanks for your proposals. As for my understanding on the proposals, it is technically possible to force users to change their passwords or to encourage them using a stronger authentication method. Also, there seems to be a resistance on migrating the hashing algorithm.
On the other hand, I am concerned MD5 hashes are prone to collision attacks from a security perspective. MD5 is an obsolete now. It is rather recommended to use another cryptography hashing algorithm to encrypt passwords.
Now, as Shane stated in his interesting post, long transition times don't really make much difference and the situation can be fixed with a workaround by advocating XX days to fix the credentials by showing a warning in whois output. But this doesn't affect the hashing algorithm which is prone to collision attacks.
What are members' views on this?
Regards,
On 5/21/15, Daniel Suchy <danny@danysek.cz> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 20.5.2015 20:29, Christiaan Ottow wrote:
I agree, but does somebody see what impact it has to lock the maintainers that don’t update their passwords? How do we get them out of the locked state again?
There's procedure for lost MNTNER password recovery, I think this is enough even for these cases... :-)
https://apps.db.ripe.net/change-auth/#/
- -Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJVXPDBAAoJEKa4QYLLxXGSzxkP/25McuP6Wr3v65m9JgZ/1doc 6QmJixoDNC58vUNKLscFL0/6lpzLWgpjbbzx/4ZzQ9u9yKFifS437Dg9cSapIapQ lU2ZCxW7K0w3LZBHjwISHfCt4ru4W0x+IKxN03iOqA5dLRQFGtG1DsIAhr1Axl5x ViAs985GqMXBPC06mHfAhD+pjmht3bnGKMUsU6qcQ4cRyuId/QOCFF4tsjSqoFT3 dJsMqc4SCg2Whu1d0oU70cS2k8s5aVL2MTmHYTtMxFZC1lN7zlo0N85pCPFict0K mOwCwSsQq1RSqNSmwXrBnbvEkik4jxEkhd7uhzqKFXe/EI5h5K3s7I7KDO2T+Y99 SFoa5jZkqYw0dsKjYLduO9MlCZyzhFA9CHEcYVpojVpPZpj5RQ48bFmsLBo56wNO Yn0gPmcPbreXfphY4gfrl0MihRHPI9Dwm3Z2jtFh0F3i/GjrML2Q3qvYnXyTxfJw ViwOVldN5MxtgnEdh08jVjBHb7LIIXPtrRakc7P4Yaxq3zEkXWTx/IOdtEXpUCqX tDieNhsGu0L7gTtEOW9P6XB8pxtp4ZX0zcm8N4zqFN2MMjjo1wK91v3tKJUVtNSn Xzp72Ii3qT+kmj/EiU+TxsjkPvLyVZU6sOMD+3+s3dcjK/9VNheI/wKmQd5pxHCL oMYcxbqPJCG+ukyD9Iy4 =MoPX -----END PGP SIGNATURE-----
-- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/