On Fri, 2008-05-16 at 15:23 +0200, Manuel Aróstegui wrote: > El jue, 15-05-2008 a las 14:41 -0700, Wolfgang S. Rupprecht escribió: > > "jeff emminger" <jemminger@xxxxxxxxx> writes: > > > isn't password authentication insecure? why not set > > > "PasswordAuthentication no" and use ssh keys, and maybe port-knocking > > > too > > > > My feeling exactly. You have no control over how stupid a password > > users will pick. The only control you have is to not allow passwords > > in the first place and insist on at least a 1k-bit (hopefully random) > > key. > > Although, you can force them to create passwords with numbers, something > like, for instance, at least 2 numbers and one alphanumeric characters. > That would help a wee bit to avoid easy passwords that may be broken > with a basic brute force attack. Not really. It used to be the case that substituting '1' for 'i', '3' for 'e', etc. was a good move, but modern password crackers are wise to this sort of thing. If you don't want a completely random password (which you then write down and lose :-) my usual recommendation is to combine two random words with something non-alphanumeric in between, e.g. lentil*highway. This approximately squares the difficulty of a brute-force search. Play around with misspellings, words from two or more different languages, etc. Of course for really important stuff I keep my random passwords in an encrypted database on my Palm Pilot (*not* the builtin "security" but a third-party app). poc -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
