Bennett Haselton wrote: > On 1/3/2012 12:32 PM, m.roth@xxxxxxxxx wrote: >> Bennett Haselton wrote: >>> mark wrote: >> <snip> >>>>> 1. How will you generate "truly random"? Clicks on a Geiger counter? >>>>> There is no such thing as a random number generator. <snip> >>> >>> To date, *nobody* on this thread has ever responded when I said that >>> there are 10^21 possible such passwords and as such I don't think that >>> the password can be brute-forced in that way. Almost every time I said >> Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU >> "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are >> pseudo-random. >> If someone has any idea what the o/s is, they can guess which >> pseudo-random generator you're using, and can try different salts. > I generally change them from the values assigned by the hosting company, > and just bang my fingers around on the keyboard, with the shift key > randomly on and off for good measure :) This also removes the Real random, there. Do you also use a Dvorak keyboard, or a std. querty? You want to be there aren't algorithms out there for guessing that? Certainly, until this minute, I hadn't thought of it, but I'll be there is. > possibility that an incompetent hosting company will store their own Hosting co? You're hosted somewhere? And an admin there can't get into your snapshot and add a back door? > copy of the password somewhere that it can be compromised. Even when > that possibility is very unlikely, it's still astronomically more likely > than the attacker guessing the password by brute force. Question 1: why is it that brute force attacks go on, day and night, everywhere? I see plenty of them here, when fail2ban tells me it's banning an IP. > > But even if someone did not do that, don't most Linux distros a good > crypto-random number generator for generating new passwords, when > they're picked by the machine and not the user? You can use salts that They're all pseudo-random. Unless, maybe, you can get truly random with quantum computing, all you can ever do is pseudo-random. <snip >> Without fail2ban, or something like it, they'll hit your system >> thousands of times an hour, at least. Sooner or later, they'll get lucky. > > OK do you *literally mean that* -- that with 10^21 possible passwords > that an attacker has to search, I have to worry about the attacker > "getting lucky" if they're trying "thousands of times per hour"? > >> But I suppose you'll ignore this, as well. Oh, and your system wasn't compromised, so all of us are wrong, and you're correct. This thread's killfiled for me - it's pointless. mark _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos