|
Dear
Colleagues, Consequent
to the community’s request in
December 2012, the AFRINIC whois database
will no longer display hashes of MD5 and CRYPT encrypted
passwords in all mntner
(whois database) objects starting
17.12.2012 Currently,
majority of objects in the
AFRINIC whois database are protected by and authenticate through
a mechanism
that uses clear text passwords encrypted with the md5 algorithm
for
authentication. There are two major concerns with this method: · The
md5-hashed password has traditionally been visible in all mntner objects. This makes it vulnerable to
crackers, given that
computers these days are armed with more than enough processing
power to unhash
these passwords in a relatively short time. ·
When
performing a whois
database update,
plain text passwords are attached into the objects to be updated
and sent by
email to the whois
database. This
introduces a possibility for the password to be sniffed in case
there is no
form of encryption between the sender, recipient and their
relaying Mail
Transfer Agents. We have
implemented a filter in
the whois database
such that whois
queries do not display md5 and
crypt hashes again. This mitigates the potential for anyone to
run a script or
program that will crack those passwords, as they are no longer
visible. The new
procedure for updating and
deleting your mntner objects is published
at http://www.afrinic.net/en/library/news/793-new-mntner-object-format AFRINIC
encourages and recommends
the use of PGP for protecting your whois data. The procedure for
using PGP with
the AFRINIC whois database is available here. For
more information, comments or
assistance on this matter, please e-mail [email protected] or
contact us on +230 403 5100 Regards, AFRINIC |
_______________________________________________ announce mailing list [email protected] https://lists.afrinic.net/mailman/listinfo.cgi/announce
