On Sunday 07 October 2007 11:33:45 Lubomir Kundrak wrote: > > A successful account breach requires 3 things: a machine name, a valid > > account, and the password. Letting people know that an account is valid > > cuts the attack down to a dictionary attack. > > So what about trying to hide the machine name? Yes that is a good thing to try, but likely to be exposed. NAT's do some degree of protecting this. But this is really not the point of this thread. > This is plain nonsense. Time that was spent avoiding timing `attacks' was > wasted. The _password_ is meant to be a key that is to be hidden, not the > account name. No, it is both. This is why face logins are bad in a secure setting. > If anything, dictionary attacks can be done against the username-password > pair also. Yes that is true. But not having a valid account name doubles the complexity and requires you to work even longer. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
