In October 2017, APNIC was made aware of an issue where hashed Maintainer and IRT passwords were included in downloadable whois data. This happened as a result of an upgrade to the APNIC Whois Database earlier in the year.
The issue was resolved the next day, as the hashes were removed from the downloadable data. A formal statement was made here.
Until now, Maintainer/IRT objects have been secured using three methods:
MD5 and crypt have long been considered broken or obsolete, and therefore not recommended for use. Because of this, APNIC has implemented bcrypt as an additional password-hashing mechanism in the whois database.
bcrypt is based on the Blowfish block cipher and includes a work factor that can be changed on a per-hash basis. The work factor determines the length of time required to compute the hash; this allows the mechanism to remain resistant to brute-force attacks even as computing power increases.
The bcrypt mechanism provides APNIC Members with an easy-to-use method of protecting their whois objects from unauthorized changes. So far, 542 Maintainers and 571 IRT objects have been updated to use bcrypt.
APNIC Members who’ve created new Maintainers/IRTs via MyAPNIC since November 2017 have passwords hashed using bcrypt by default. We encourage Members with existing Maintainer/IRT objects to change their passwords as soon as possible; this will cause their password hashes to change from crypt/MD5 to bcrypt.
If you are an APNIC account holder, you can update your Maintainer/IRT hash to bcrypt via MyAPNIC, as follows:
- Login to MyAPNIC
- Go to Resources > Maintainer/IRT.
- Select the object you wish to update.
- Scroll down to the ‘auth’ field and enter a new password.
- Click the Update button.
Once you have entered the password, you will notice that the auth attribute will change to a bcrypt hash soon after you stop typing and MyAPNIC calculates the hash.
If your Maintainer displays ‘Invalid Password’, please contact the APNIC Helpdesk at firstname.lastname@example.org and they will help you.
If you don’t have access to MyAPNIC, you can also use email update to make this change.
The correct syntax for the ‘auth’ attribute is:
(Please note that the above hash is only used as an example.)
If you have an account with an NIR, you can also use the email update or contact your NIR for further assistance.
APNIC plans to enforce password changes for all crypt and MD5 hashed passwords on the MyAPNIC login for Technical/Corporate Contacts before removing crypt/MD5 support from the APNIC Whois Database. All Members will be advised of these changes well in advance.
If you have any questions about updating your Maintainer/IRT object passwords or need help with accessing MyAPNIC to make these changes, please contact the APNIC Helpdesk.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.