On 12/15/2011 11:30 AM, Jake Shipton wrote:
On 15/12/11 15:32, Michael Cronenworth wrote:
Jake Shipton wrote:
[snip]
Some of your advice is good, but some of it is not. Even though your
reply was to a known troll of this list, I'd like to respond to some of
your comments.
Okay :-). I'll respond back to yours.
Ensure when setting up your system you do not use the same password
twice, or the same password you use anywhere else. Each password should
be unique and should consist of Upper and Lower case letters, Numbers
and Symbols (For example: MyPa55W0rd&2012&2011).
The password "this-is-fun" is just as secure as your example.
http://vivekgirotra.com/why-the-password-this-is-fun-is-10-times-more
Maybe so, but I am simply trying to advise from what I have learned over
the years. I am in no way a professional or otherwise.
Unfortunately, in the area of passwords too many real security
professionals have given bad advice. So not being a security
professional is not necessarily a bad thing here!
I have simply done passwords like how I have shown in my example above
for years, so it is how I advise them :-).
But the attack vectors have changed. Cloud computing has put real
cracking ability in the hands of everyday hackers. I authored the
original paper on attacking WiFi WPA-PSK passwords. I did that becuase
vendors were not putting ANY constraints on passwords, and you could
enter a 4 digit pin with the first release of WPA products. My paper
caused a bit of consternation and DID get password minimums set to 8
characters. Good enough back in '03. Now the attack is very easy with
cloud computing. I recommend that everyone look at SAE for WiFi
security. It is part of 802.11s, but can be used for general AP-STA
security. It is already implemented the OpenAP code. SAE (by my
colleague Dan Harkins of Aruba) has NO offline attack and a active
attack only gets one guess per try. SAE is of the class of 'zero-based
knowledge' password methods. Anyway enough of a digression, just my
point that attacks change over time and what was considered 'good
enough' 5 years ago is no longer good at all.
Passphrases have ALWAYS been recognized as stronger than passwords, and
easier to remember. The problem in using them is that many systems
would just truncate long passphrases or put strong limits on size of
entry. For some time UNIX login was so limited, for example.
I use a couple different styles of passphrases myself.
[snip]
Now you should set up your firewall
[snip]
Switch to ICMP Filter, and tick the following:
- Echo Reply
Disabling ping on a workstation that is guaranteed to be behind a router
is pointless. Even if the workstation was directly connected to the
internet disabling ping is pointless. It will only make future
troubleshooting of network issues more difficult. Your internet presence
is not hidden by disabling ping.
I am aware of that, for example a stealth scan with no ping will still
pick up open ports. However, the person who I replied too claims to be
under attack constantly. So why not? If you need to troubleshoot your
network, it isn't difficult to re-enable the ping.
The age old arguement about this wonderful network hack. To allow pings
or not to allow them. I generally like them, but can agree that for the
OP, disabling them for the 'warm fuzzy' is worth it.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
