Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Ric Moore <wayward4now@gmail.com>
Date: Sat, 10 Jan 2015 14:41:53 -0500
Message-id: <[🔎] 54B18081.7080103@gmail.com>
In-reply-to: <[🔎] 54B11E21.1090707@gmail.com>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 7851846.GjTCVcmPuo@merkaba> <[🔎] 09012015001632.a7c9236b8b1d@desktop.copernicus.demon.co.uk> <[🔎] 3714920.DLpo8KHxcl@merkaba> <[🔎] CAAr43iMgLrUtSiitri17xOTaZ0Qvwip5eYMc1Z-Q+vSd_SSteg@mail.gmail.com> <[🔎] 54B08C3D.4090404@gmail.com> <[🔎] 54B09B89.5060906@gmx.com> <[🔎] 54B0B23C.8060404@gmail.com> <[🔎] 54B0B779.2010309@gmx.com> <[🔎] 54B11E21.1090707@gmail.com>

On 01/10/2015 07:42 AM, Jerry Stuckle wrote:

On 1/10/2015 12:24 AM, scott wrote:

On 01/10/2015 12:01 AM, Jerry Stuckle wrote:

On 1/9/2015 10:24 PM, scott wrote:

On 01/09/2015 09:19 PM, Jerry Stuckle wrote:

On 1/9/2015 8:49 PM, Joel Rees wrote:

On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald <Martin@lichtvoll.de> wrote:

Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:

On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:

Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:

Just ensure you're using good security practices - don't allow root
login, use long, random passwords, etc.  I also use a random character
strings for the login ids, as well as passwords  - just one more thing
for the hackers to have to figure out how to get around.


Only allow SSH key based logins. Of course, only after you copied a public
key onto the machine with ssh-copy-id.

And have SSH keys with *strong* passphrases, to protect against someone
stealing your key. Use ssh-agent wisely only on trusted machines.


SSH password logins are just as safe. 20 characters gives a strong
password for use on trusted machines. There is no need to worry about
it being stolen because it is in your memory,


I think SSH keys are safer, cause there is no password at all that can be
brute forced.


What do you mean by that?

Okay, one can try to guess the key, but try that with a 4096 bit
key.


Hmm.

10 characters, 6 to 7 bits per character, that's 60 bits.

If the bits are truly random, straight brute-force will take, on
average, half of 2^60 attempts.

We can hold the integer 2^59 in a C variable on most recent desktops,
but if we have bc (dc if you like post-fix), we can do this on even 32
bit CPUs:

576460752303423488 (base ten)

At one milion attempts per second, that's 5764607523034 seconds, or
182678 CPU-years.

There's no way that's going to happen on-line, if the password is
truly random, and not randomly a password that's a quick permutation
of common memes or of entries in rainbow tables.


Actually, 62 possible characters (upper case, lower case and digits), 10
positions is 62^10 or 839,299,365,868,340,224 possible combinations.

Adding in special characters obviously would increase that.

But there is no way you'll hit a server 1,000,000 times a second trying
to brute force a password.

I currently use sixteen or more letters in my passwords, don't use
simple permutations or common phrases (as for the first leter trick),
use disconnected words from multiple languages. Or use 16 character
true random passwords for the important stuff.


All good suggestions.

SSH keys are useful, but you have to keep them somewhere. The real
danger to good passwords is the off-line attempts, and the passphrase
you use for your private keystore is potentially subject to off-line
if your password is.


Yes, keys may actually be less secure than passwords.

Jerry

If you have a dedicated hacker, or hackers, time is on their side. I
would much rather use a key with a passphrase.


That's fine, if you don't care about security.  Lose your laptop and
your pass phrase can be broken at a rate of 1 billion attempts per
second, since it is local to your machine.

There is no way you're going to get even 100 attempts per second into an
SSH server.  And since the hacker doesn't have direct access to the
encrypted password on the server, he can't break it on a local machine.
  Using the same password/pass phrase for both systems, it would take
10,000,000 times longer to hack the SSH password than your local pass
phrase.

And then there's the problem you can only access the server from a
system with the key file.  And the more computers the key file resides
on, the less secure it is.

Since a password is not stored on any machine (except the server), there
is nothing to break.

Jerry

I replied to your post to me specifically, so I 'll do it here, also.
The fact is that if you have physical access to any machine, unfettered,
it's game over.
    Scotty


Which is more likely for a hacker to gain physical access to?  A laptop
you carry around (or even a desktop), or a server in a data center with
people on site 24/7?


People like Snowden?? :) Ric


--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
Linux user# 44256

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: scott <redhowlingwolves@gmx.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: scott <redhowlingwolves@gmx.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread