On 12/29/2011 07:21 AM, Marko Vojinovic wrote: > On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: >> Am 29.12.2011 12:56, schrieb Leonard den Ottolander: >>> Hello Reindl, >>> >>> On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: >>>> Am 29.12.2011 09:17, schrieb Bennett Haselton: >>>>> Even though the ssh key is more >>>>> random, they're both sufficiently random that it would take at least >>>>> hundreds of years to get in by trial and error. >>>> >>>> if you really think your 12-chars password is as secure >>>> as a ssh-key protcected with this password you should >>>> consider to take some education in security >>> >>> Bennett clearly states that he understands the ssh key is more random, >>> but wonders why a 12 char password (of roughly 6 bits entropy per byte >>> assuming upper & lower case characters and numbers) wouldn't be >>> sufficient. >> >> so explain me why discuss to use or not to use the best >> currently availbale method in context of security? > > Using the ssh key can be problematic because it is too long and too random to > be memorized --- you have to carry it on a usb stick (or whereever). This > provides an additional point of failure should your stick get lost or stolen. > Human brain is still by far the most secure information-storage device. :-) > > It is very inconvenient for people who need to login to their servers from > random remote locations (ie. people who travel a lot or work in hardware- > controlled environment). > > Besides, it is essentially a question of overkill. If password is not good > enough, you could argue that the key is also not good enough --- two keys (or > a larger one) would be more secure. Where do you draw the line? > This is absolutely ludicrous. Requiring a physical "key" to be present for access can not be compared to a 12 character password, random or not. Bottom line ... if you want people to crack your server, use passwords and they way. For the love of God, do not allow password access your machines people.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
