Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Bob Proulx <bob@proulx.com>
Date: Wed, 14 Jan 2015 17:37:04 -0700
Message-id: <[🔎] 20150114172259240251530.NoCcsPlease@bob.proulx.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20150114215605.GB15925@copernicus.demon.co.uk>
References: <[🔎] 3714920.DLpo8KHxcl@merkaba> <[🔎] CAAr43iMgLrUtSiitri17xOTaZ0Qvwip5eYMc1Z-Q+vSd_SSteg@mail.gmail.com> <[🔎] 54B08C3D.4090404@gmail.com> <[🔎] 54B09B89.5060906@gmx.com> <[🔎] 20150110150737298308714.NoCcsPlease@bob.proulx.com> <[🔎] 11012015175351.d973d8849991@desktop.copernicus.demon.co.uk> <[🔎] 20150111164247769857095.NoCcsPlease@bob.proulx.com> <[🔎] 12012015193541.dea84e875a35@desktop.copernicus.demon.co.uk> <[🔎] 20150113220331593544203.NoCcsPlease@bob.proulx.com> <[🔎] 20150114215605.GB15925@copernicus.demon.co.uk>

Brian wrote:
> Bob Proulx wrote:
> > Brian wrote:
> I am still going to maintain that "TwasBrilligAndTheSlithyToves" is a
> more than adquate password for logging in *on-line*. If I were to lack
> trust in the maintenence of security at a site I might consider a change
> of heart. But then - what would I base my judgement on. apart from the
> theoretcal possibility?
> 
> > I won't say that the technique you show above is a bad thing.  But the
> > current wisdom is that it isn't good enough anymore because after
> > analyzing millions of real world passwords, programs can now guess
> > what humans will do much of the time.  So what you really need is
> > something other than what a human would produce.
> 
> We are still on off-line cracking? How does this sound?

Oops.  You caught me.  Everyone else continued to talk about offline
cracking and I had pretty much given up and lost track of the topic.
But you were specifically said online and emphasized it.  My bad.

Although I was trying to address specifically the trust in site
security.  It is only a matter of time before a high profile site is
so mired in its own bureaucracy that they lose track of its own
security and expose this information.  Historically speaking.

But the original poster was talking about a personal Debian system.
For a personal system one could probably get away with using a pretty
weak password.  Your password method would be a pretty strong one for
a personal system.  If the system is compromised to the point that
/etc/shadow with the hashes exposed for an offline attack then you
should scrape it clean and install from known good pristine sources
and start again using all different passwords than before.  The weak
password wouldn't have been the problem in that case.  The attack
could only have only have come through some other vector into the
machine.

Bob

P.S.  Before leaving remote web sites entirely behind...
Most important is to use a unique password per site.  Then using a
strong password only if I care about having that data cracked.  I use
my fair share of weak throwaway passwords on weak throwaway sites.
But I never reuse them across sites.

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: scott <redhowlingwolves@gmx.com>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: problem with corrupted root password
Next by Date: Re: Disable server so it does not start on reboot (even after upgrade)?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread