[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?

On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald <Martin@lichtvoll.de> wrote:
> Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
>> On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
>> > Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
>> > > Just ensure you're using good security practices - don't allow root
>> > > login, use long, random passwords, etc.  I also use a random character
>> > > strings for the login ids, as well as passwords  - just one more thing
>> > > for the hackers to have to figure out how to get around.
>> >
>> > Only allow SSH key based logins. Of course, only after you copied a public
>> > key onto the machine with ssh-copy-id.
>> >
>> > And have SSH keys with *strong* passphrases, to protect against someone
>> > stealing your key. Use ssh-agent wisely only on trusted machines.
>>
>> SSH password logins are just as safe. 20 characters gives a strong
>> password for use on trusted machines. There is no need to worry about
>> it being stolen because it is in your memory,
>
> I think SSH keys are safer, cause there is no password at all that can be
> brute forced.

What do you mean by that?

> Okay, one can try to guess the key, but try that with a 4096 bit
> key.

Hmm.

10 characters, 6 to 7 bits per character, that's 60 bits.

If the bits are truly random, straight brute-force will take, on
average, half of 2^60 attempts.

We can hold the integer 2^59 in a C variable on most recent desktops,
but if we have bc (dc if you like post-fix), we can do this on even 32
bit CPUs:

576460752303423488 (base ten)

At one milion attempts per second, that's 5764607523034 seconds, or
182678 CPU-years.

There's no way that's going to happen on-line, if the password is
truly random, and not randomly a password that's a quick permutation
of common memes or of entries in rainbow tables.

I currently use sixteen or more letters in my passwords, don't use
simple permutations or common phrases (as for the first leter trick),
use disconnected words from multiple languages. Or use 16 character
true random passwords for the important stuff.

SSH keys are useful, but you have to keep them somewhere. The real
danger to good passwords is the off-line attempts, and the passphrase
you use for your private keystore is potentially subject to off-line
if your password is.

> Anyway, I will unsubscribe now.
>
> Staying on this list has not been beneficial for me.
>
> The amount of traffic on this list, that is not related to Debian or is
> bickering like this is soo high that I find it too time consuming to find out
> the rare gems of threads where I can still learn something new about Debian or
> that I enjoy in engaging and replying to.
>
> Don´t bother to answer. I will likely delete it.
>
> Ciao,
> --
> Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
> GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

-- 
Joel Rees

Freedom costs in software, too.
How much, and what,
are you willing to pay for your freedom?
Reply to: