On 16/12/11 13:02, Robert Moskowitz wrote: > > > On 12/16/2011 01:51 AM, Tim wrote: >> On Thu, 2011-12-15 at 13:08 +0000, Jake Shipton wrote: >>> My next advise would be to do the following: >>> >>> 1) Regularly change your password, say every 3/6 months. >> Personally, I don't see the point in this. I think it's a fallacy. > > I totally agree with you. But after a couple years, I DO switch > passwords. They tend to creap and I can't be sure that someone other > than my wife knows it. > > Unless there is a big bug reported, what is the attack vector for M. > Hacker? SSH? Watch your logwatch. email attachments or web > downloads? Scan them first. > > Choose a password with an entropy of ~40bits and you will be good unless > you are a target of interest to somebody. > >> >> If they haven't guessed/cracked your password, there's no point in >> changing it. They haven't got in, and it's no easier or harder to guess >> the current one from a new one. Unlike in the movies, crackers don't >> get clues to when they're getting close to guessing your password, it's >> just pass or fail. The probability that their next guess might be right >> for your old password is just as improbable that their next guess might >> be your new password. And it's probably just as likely that if you >> changed your password, you might change it to one that they were just >> about to guess. i.e. *Guessing* **any** password, correctly, is highly >> improbable. >> >> If they have got your password, any clueful hacker will have put >> something in so they're not obstructed by you changing the password >> (backdoors, trojans, rootkits, et cetera). And if you hadn't detected >> them breaking in before, you're not going to notice it the next time. >> >> And it's hard enough to remember passwords, especially several of them, >> without having to remember changing ones. >> Okay, so I was wrong about the password thing :-). Although personally I'll still switch my passwords once a year like I always have done :-). Old habits die hard. Though my system is logged like a server should be, even though it's just a plain and simple desktop on ethernet behind a router & firewall not moving anywhere.. but I do like to know what my system does. I probably would detect a break in attempt before they got in :-) -- Jake -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org