Updated Migration Plan to Remove MD5 Hashed Passwords from the RIPE Database
Dear colleagues, The RIPE NCC database team published an updated plan in January to deprecate MD5 hashed passwords by the end of 2025: https://mailman.ripe.net/archives/list/db-wg@ripe.net/thread/NGCRQWJPF7MT24V... Since then, we have been working towards this deadline: * Added support for API key and OAuth 2.0 authentication * Notified maintainers and removed inactive passwords in June (including any passwords not used since January 2024) * Notified maintainers by email who are actively using passwords in July, September, October and November * Added a warning to the database web query page that passwords are deprecated * Added a warning to Whois update responses that passwords are deprecated I presented at the DB-WG session at RIPE 91 that use of password authentication is still very high: 32% of all updates used password authentication, by about 150 maintainers. By last week, this has decreased to 17% of all updates by about 105 maintainers. There is still a risk that the database community may not be ready for the end of year deadline. Taking this into consideration, I propose the following updated plan for the end of year deadline: * At the beginning of January (e.g. Monday January 5th at midday CET), remove all passwords from the RIPE database, after notifying maintainers and the working group. * Allow maintainers to add a password back to their maintainer if they still really need to use one (e.g. for operational reasons). * In the following Whois release, around the end of January, remove support for passwords altogether, again after notifying maintainers and working group. This gives us a rollback plan in case there are maintainers that need some extra time, and still allows us to follow through with deprecating passwords. In the meantime, we will continue to monitor use of password authentication. We also want to hear from any maintainers who need assistance with the migration, we are happy to help. Please let us know your questions or comments. Regards Ed Shryane RIPE NCC
Hi Ed, I think this is a good idea however I would advocate for pushing it back another 2-4 weeks, maybe February instead of January? This is because the first step in your plan (on 2026-01-05) takes place as a fair number of people might still be on holiday (at least here in Sweden many are). Even if they aren't still on holiday that might be their first day back so they might not have had time to prepare. -Cynthia On Tue, 2 Dec 2025, 17:17 Edward Shryane, <eshryane@ripe.net> wrote:
Dear colleagues,
The RIPE NCC database team published an updated plan in January to deprecate MD5 hashed passwords by the end of 2025:
https://mailman.ripe.net/archives/list/db-wg@ripe.net/thread/NGCRQWJPF7MT24V...
Since then, we have been working towards this deadline: * Added support for API key and OAuth 2.0 authentication * Notified maintainers and removed inactive passwords in June (including any passwords not used since January 2024) * Notified maintainers by email who are actively using passwords in July, September, October and November * Added a warning to the database web query page that passwords are deprecated * Added a warning to Whois update responses that passwords are deprecated
I presented at the DB-WG session at RIPE 91 that use of password authentication is still very high: 32% of all updates used password authentication, by about 150 maintainers. By last week, this has decreased to 17% of all updates by about 105 maintainers. There is still a risk that the database community may not be ready for the end of year deadline.
Taking this into consideration, I propose the following updated plan for the end of year deadline: * At the beginning of January (e.g. Monday January 5th at midday CET), remove all passwords from the RIPE database, after notifying maintainers and the working group. * Allow maintainers to add a password back to their maintainer if they still really need to use one (e.g. for operational reasons). * In the following Whois release, around the end of January, remove support for passwords altogether, again after notifying maintainers and working group.
This gives us a rollback plan in case there are maintainers that need some extra time, and still allows us to follow through with deprecating passwords.
In the meantime, we will continue to monitor use of password authentication. We also want to hear from any maintainers who need assistance with the migration, we are happy to help.
Please let us know your questions or comments.
Regards Ed Shryane RIPE NCC
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hi Cynthia,
On 3 Dec 2025, at 16:12, Cynthia Revström <me@cynthia.re> wrote:
Hi Ed,
I think this is a good idea however I would advocate for pushing it back another 2-4 weeks, maybe February instead of January?
This is because the first step in your plan (on 2026-01-05) takes place as a fair number of people might still be on holiday (at least here in Sweden many are). Even if they aren't still on holiday that might be their first day back so they might not have had time to prepare.
Thanks for letting me know. We need to balance removing password support in a timely fashion with not causing operational problems for our users. How about moving the first step to Wednesday 14th January at midday? This gives operators more time, and mid-week rather than the beginning of a week. To ensure the community is notified properly, in addition to notifying the DB-WG, we will also notify all maintainers with passwords beforehand, using all values in : * mntner {notify, mnt-nfy, upd-to, e-mail} attribute values * {notify, e-mail} attribute values in all tech-c references in all mntners We can also start to send notifications earlier, i.e. before the break for Christmas and New Year. Then also move the Whois release which removes password support into February. I don't want to delay this too long. Regards Ed Shryane RIPE NCC
Hi Ed, That sounds like a much better timeline. :) Thanks for the update, I understand you don't want to delay it even further. -Cynthia On Thu, 4 Dec 2025, 15:35 Edward Shryane, <eshryane@ripe.net> wrote:
Hi Cynthia,
On 3 Dec 2025, at 16:12, Cynthia Revström <me@cynthia.re> wrote:
Hi Ed,
I think this is a good idea however I would advocate for pushing it back another 2-4 weeks, maybe February instead of January?
This is because the first step in your plan (on 2026-01-05) takes place as a fair number of people might still be on holiday (at least here in Sweden many are). Even if they aren't still on holiday that might be their first day back so they might not have had time to prepare.
Thanks for letting me know. We need to balance removing password support in a timely fashion with not causing operational problems for our users.
How about moving the first step to Wednesday 14th January at midday? This gives operators more time, and mid-week rather than the beginning of a week.
To ensure the community is notified properly, in addition to notifying the DB-WG, we will also notify all maintainers with passwords beforehand, using all values in : * mntner {notify, mnt-nfy, upd-to, e-mail} attribute values * {notify, e-mail} attribute values in all tech-c references in all mntners
We can also start to send notifications earlier, i.e. before the break for Christmas and New Year.
Then also move the Whois release which removes password support into February. I don't want to delay this too long.
Regards Ed Shryane RIPE NCC
Hi again, I just realised that this will have an impact on LIM-MNT. What's the plan for future auth there? -Cynthia On Tue, 2 Dec 2025, 17:17 Edward Shryane, <eshryane@ripe.net> wrote:
Dear colleagues,
The RIPE NCC database team published an updated plan in January to deprecate MD5 hashed passwords by the end of 2025:
https://mailman.ripe.net/archives/list/db-wg@ripe.net/thread/NGCRQWJPF7MT24V...
Since then, we have been working towards this deadline: * Added support for API key and OAuth 2.0 authentication * Notified maintainers and removed inactive passwords in June (including any passwords not used since January 2024) * Notified maintainers by email who are actively using passwords in July, September, October and November * Added a warning to the database web query page that passwords are deprecated * Added a warning to Whois update responses that passwords are deprecated
I presented at the DB-WG session at RIPE 91 that use of password authentication is still very high: 32% of all updates used password authentication, by about 150 maintainers. By last week, this has decreased to 17% of all updates by about 105 maintainers. There is still a risk that the database community may not be ready for the end of year deadline.
Taking this into consideration, I propose the following updated plan for the end of year deadline: * At the beginning of January (e.g. Monday January 5th at midday CET), remove all passwords from the RIPE database, after notifying maintainers and the working group. * Allow maintainers to add a password back to their maintainer if they still really need to use one (e.g. for operational reasons). * In the following Whois release, around the end of January, remove support for passwords altogether, again after notifying maintainers and working group.
This gives us a rollback plan in case there are maintainers that need some extra time, and still allows us to follow through with deprecating passwords.
In the meantime, we will continue to monitor use of password authentication. We also want to hear from any maintainers who need assistance with the migration, we are happy to help.
Please let us know your questions or comments.
Regards Ed Shryane RIPE NCC
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hi Cynthia,
On 5 Dec 2025, at 13:00, Cynthia Revström <me@cynthia.re> wrote:
Hi again,
I just realised that this will have an impact on LIM-MNT. What's the plan for future auth there?
-Cynthia
LIM-MNT depends on a well-known password. Can we depend on a well-known PGP or X.509 key instead? Are adding SSO accounts on request an option? Regards Ed Shryane RIPE NCC
participants (2)
-
Cynthia Revström -
Edward Shryane