Re: Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <kahlil.hodgson@xxxxxxxxxxxxxx> wrote:
> 
> On 5 February 2015 at 10:36, Warren Young <wyml@xxxxxxxxxxx> wrote:
>> When the hashes are properly salted, the only option is brute force.  All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues.
> 
> Kinda highlights that 'time' is important here.

Yes, which is why a properly-designed remote credential checking system throttles login attempts: to buy time.

Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of minutes.  This one here is a 5 minute safe, and that one over there is a 15 minute safe.  You buy the one that gives you the time you need to react appropriately to an attack.

> An 8 character password might just nudge the
> probabilities in your favour and protect against a drive by attack.
> 
> Does that sound like a reasonable case to protect against?

That’s exactly what this change does.

This calculator will help you to explore the problem:

    https://www.grc.com/haystack.htm

Put in something like “Abc123@#” to turn on all the green lights to see the effect of a password that will pass the new rules.  

SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this calculator assumes, so we actually have a few orders of magnitude more security.  Not that it matters, given that it reports that my example password would take 2.13 thousand centuries to crack.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos





[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux