On 5 February 2015 at 10:36, Warren Young <wyml@xxxxxxxxxxx> wrote:
> When the hashes are properly salted, the only option is brute force. All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues.
Kinda highlights that 'time' is important here. Booting into a fresh
system and then running updates and hardening your system can take a
few minutes. There may be an appreciable difference between having a
password that can be cracked in 1 second and one that takes an hour.
(Yes, infrastructure can help mitigate this risk).
I'm thinking of someone with limited infrastructure installing a
system under time pressure. They might be tempted to use a very weak
password initially with the expectation that they would get back to
hardening the system later. If they are regularly under time
pressure, that may never actually happen, or may be delayed for
hours/days. An 8 character password might just nudge the
probabilities in your favour and protect against a drive by attack.
Does that sound like a reasonable case to protect against?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
