Filtering MD5 and CRYPT password hashes in whois query output
Consequent to the community’s request in December 2012, the AFRINIC whois database will no longer display hashes of MD5 and CRYPT encrypted passwords in all mntner (whois database) objects starting 15.12.2012
Currently, majority of objects in the AFRINIC whois database are protected by and authenticate through a mechanism that uses clear text passwords encrypted with the md5 algorithm for authentication. There are two major concerns with this method:
- The md5-hashed password has traditionally been visible in all mntner objects. This makes it vulnerable to crackers, given that computers these days are armed with more than enough processing power to unhash these passwords in a relatively short time.
- When performing a whois database update, plain text passwords are attached into the objects to be updated and sent by email to the whois database. This introduces a possibility for the password to be sniffed in case there is no form of encryption between the sender, recipient and their relaying Mail Transfer Agents.
We have implemented a filter in the whois database such that whois queries do not display md5 and crypt hashes again. This mitigates the potential for anyone to run a script or program that will crack those passwords, as they are no longer visible.
The new procedure for updating and deleting your mntner objects is published here
AFRINIC encourages and recommends the use of PGP for protecting your whois data. The procedure for using PGP with the AFRINIC whois database is available here.