1) Abstract

Consequent to the community's request in December 2012, the AFRINIC whois database will no longer display hashes of MD5 and CRYPT encrypted passwords in all mntner (whois database) objects.

Currently, majority of objects in the AFRINIC whois database are protected by and authenticate through a mechanism that uses clear text passwords encrypted with the md5 algorithm for authentication. There are two major concerns with this method:

• The md5-hashed password has traditionally been visible in all mntner objects. This makes it vulnerable to crackers, given that computers these days are armed with more than enough processing power to unhash these passwords in a relatively short time.
• When performing a whois database update, plain text passwords are attached into the objects to be updated and sent by email to the whois database. This introduces a possibility for the password to be sniffed in case there is no form of encryption between the sender, recipient and their relaying Mail Transfer Agents.

AFRINIC has enabled a filter in the whois database such that whois queries do not display those hashes again. This mitigates the potential for anyone to run a simple script or program that will crack these passwords, as they are no longer visible.