Hi guys I would like to offer some historical context here, as someone who worked on the crypt-pw deprecation many years (decades) ago. Removing an authentication scheme from the RIPE Database is not necessarily a simple and straightforward process. A lot of the data in the RIPE Database doesn't change for many years. It is still valid data, but simply hasn't changed. The staff turn over of an LIR may change quicker than this data changes. When someone leaves an LIR, or other resource holder company, checking data entered into a database 10+ years ago may not be the first thing on the minds of all the staff. So your first problem may be that your notifications may be sent to email addresses that are no longer read. Then we have the issue of who holds the credentials on a MNTNER object? You are assuming that if there is a credential other than MD5 then you can simply remove the MD5 and the other credential holder still has access to the MNTNER. The other credential holder(s) may no longer work for the resource holder. And yes this does happen. It was a common problem with crypt-pw deprecation. You say there are currently 18k MNTNER objects with an MD5 password. So you potentially have a problem with anything from 1 to 18k MNTNERs. It is quite likely that many of these also no longer have access to the upd-to email address. So a password reset/replacement is a manual process. Is the RIPE NCC's customer services ready for potentially thousands of password resets in the next few years? It is interesting that you say 17k passwords have not been used in the last 12 months. (Of course that may be <17k MNTNERs if there are multiple unused passwords on one object.) That could mean other credentials on those MNTNERs have been used or this represents a lot of this static data. Perhaps a more useful statistic would be how many MNTNERs, that include at least one MD5, have not been used to update any data in the database using any of the available credentials in the last 12 months? That is possibly a count of how many MNTNERs could be a problem. When we removed the crypt-pw we added a link in a remarks to a web page. From that page you could run a script to add an MD5 password with the same clear text as your crypt-pw.[1] That script ran for several years as people tried to update that old, static data. We could provide a similar script where you can enter the MNTNER name, old clear text password and a new credential that you want added to the MNTNER. That would avoid any manual work by customer services over the next couple of years. We monitored that script's usage and finally killed it off when the numbers no longer justified it's existence. Just a thought... cheers denis [1] https://www.ripe.net/about-us/news/ripe-database-crypt-pw-deprecation-projec... On Tue, 1 Apr 2025 at 16:49, Edward Shryane <eshryane@ripe.net> wrote:
Dear colleagues,
In answer to an off-list question, to clarify below there are just over 62,000 maintainers in total, and just over 18,000 maintainers with at least one MD5 hashed password. Only 1,446 distinct maintainers from those 18,000 used one of those MD5 hashed passwords to authenticate an update between the beginning of 2024 to mid-March 2025. In Q2 we plan to remove all passwords which have not been in use since the beginning of 2024.
Regards Ed Shryane RIPE NCC
On 31 Mar 2025, at 15:55, Edward Shryane <eshryane@ripe.net> wrote:
Dear colleagues,
According to January's updated migration plan to remove all MD5 hashed passwords from the RIPE database in 2025 : https://mailman.ripe.net/archives/list/db-wg@ripe.net/thread/NGCRQWJPF7MT24V...
In Q2 2025, the RIPE NCC plans to remove all MD5 hashed passwords that have not been used for authentication in the past year, to reduce the risk of having so many MD5 hashes in the database in case of a data breach.
Using 1st January 2024 as a cut-off, we found this will affect approximately 17,000 out of 62,000 maintainers.
Accordingly, between this April and June, we will split these affected 17,000 maintainers into small groups and email each group separately, explaining that we plan to remove any such hash(es) from their mntner object. We will give each group at least one week's notice before updating their mntner object. We will not quote a password hash in any email to avoid exposing it, the maintainer is expected to know which password(s) are in active use.
Affected maintainers will be free to create a replacement MD5 hashed password themselves. However as passwords will be removed by the end of 2025, we will encourage them to switch to an alternative authentication method instead, such as API keys.
Most affected maintainers have an alternative method of authentication. However, approximately 3,000 of those do *not* have any alternative. If a maintainer is left without any authentication method, the Forgot Maintainer Password process will have to be followed to regain access to the maintainer. We plan to leave these maintainers until last.
Please let us know your comments and/or questions regarding this planned change.
Regards Ed Shryane RIPE NCC
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/