[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?

On 01/09/2015 09:19 PM, Jerry Stuckle wrote:
> On 1/9/2015 8:49 PM, Joel Rees wrote:
>> On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald <Martin@lichtvoll.de> wrote:
>>> Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
>>>> On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
>>>>> Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
>>>>>> Just ensure you're using good security practices - don't allow root
>>>>>> login, use long, random passwords, etc.  I also use a random character
>>>>>> strings for the login ids, as well as passwords  - just one more thing
>>>>>> for the hackers to have to figure out how to get around.
>>>>>
>>>>> Only allow SSH key based logins. Of course, only after you copied a public
>>>>> key onto the machine with ssh-copy-id.
>>>>>
>>>>> And have SSH keys with *strong* passphrases, to protect against someone
>>>>> stealing your key. Use ssh-agent wisely only on trusted machines.
>>>>
>>>> SSH password logins are just as safe. 20 characters gives a strong
>>>> password for use on trusted machines. There is no need to worry about
>>>> it being stolen because it is in your memory,
>>>
>>> I think SSH keys are safer, cause there is no password at all that can be
>>> brute forced.
>>
>> What do you mean by that?
>>
>>> Okay, one can try to guess the key, but try that with a 4096 bit
>>> key.
>>
>> Hmm.
>>
>> 10 characters, 6 to 7 bits per character, that's 60 bits.
>>
>> If the bits are truly random, straight brute-force will take, on
>> average, half of 2^60 attempts.
>>
>> We can hold the integer 2^59 in a C variable on most recent desktops,
>> but if we have bc (dc if you like post-fix), we can do this on even 32
>> bit CPUs:
>>
>> 576460752303423488 (base ten)
>>
>> At one milion attempts per second, that's 5764607523034 seconds, or
>> 182678 CPU-years.
>>
>> There's no way that's going to happen on-line, if the password is
>> truly random, and not randomly a password that's a quick permutation
>> of common memes or of entries in rainbow tables.
>>
> 
> Actually, 62 possible characters (upper case, lower case and digits), 10
> positions is 62^10 or 839,299,365,868,340,224 possible combinations.
> 
> Adding in special characters obviously would increase that.
> 
> But there is no way you'll hit a server 1,000,000 times a second trying
> to brute force a password.
> 
> 
>> I currently use sixteen or more letters in my passwords, don't use
>> simple permutations or common phrases (as for the first leter trick),
>> use disconnected words from multiple languages. Or use 16 character
>> true random passwords for the important stuff.
>>
> 
> All good suggestions.
> 
>> SSH keys are useful, but you have to keep them somewhere. The real
>> danger to good passwords is the off-line attempts, and the passphrase
>> you use for your private keystore is potentially subject to off-line
>> if your password is.
>>
> 
> Yes, keys may actually be less secure than passwords.
> 
> Jerry
> 
> 
If you have a dedicated hacker, or hackers, time is on their side. I
would much rather use a key with a passphrase.
Reply to: