If you are interested, I can provide you with a list of maintainers which have weak passwords :)<div> </div><div>As I said, there is a cracking job running on my side on the MD5(UNIX) hashes I grabbed earlier(by the way I apologize if this raised some errors or security warnings ...). Once done I also could provide you with exact figures regarding number of cracked hashes.</div> <div> </div><div> <div class="gmail_quote">On Tue, Nov 8, 2011 at 1:22 PM, Daniel Stolpe <<a href="mailto:stolpe@resilans.se">stolpe@resilans.se</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> I agree. And maybe someone should set up john the ripper to crack some passwords and contact the holders of the weakest ones.<div><div class="h5"> On Tue, 8 Nov 2011, David Freedman wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I don't mind it continuing to be used over encrypted channels, as long as the hashes are not available to the general public (as per your previous mail) I would support a warning phase Dave. On 08/11/2011 11:56, "Shane Kerr" <<a href="mailto:shane@time-travellers.org" target="_blank">shane@time-travellers.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> David, On Tue, 2011-11-08 at 09:38 +0000, David Freedman wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I'd like to see auth: MD5-PW deprecated , even though it seems to be widely used (for various reasons) according to the report by DB presented to us. </blockquote> I propose that we deprecate �passwords over unencrypted channels. AFAIK this just means e-mail today, although the web API stuff may also provide an non-TLS option (I don't know). Unlike hiding MD5, this is a major change for users, and would need to be done with the same caution and preparation as similar large changes in the past. We could have a warning phase, where anyone using a password in email would get a scary warning in the reply telling them to use a more secure scheme (PGP, X.509, webupdates, or database web API). The RIPE NCC could identify heavy users and help them convert their tools. And eventually we could flip the switch and turn off plain text passwords. -- Shane </blockquote> </blockquote> </div></div> Daniel _________________________________________________________________________________ Daniel Stolpe � � � � � Tel: �08 - 688 11 81 � � � � � � � � � <a href="mailto:stolpe@resilans.se" target="_blank">stolpe@resilans.se</a> Resilans AB � � � � � � Fax: �08 - 55 00 21 63 � � � � � �<a href="http://www.resilans.se/" target="_blank">http://www.resilans.se/</a> Box 13 054 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �556741-1193 103 02 Stockholm </blockquote></div> </div>