[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?

On 1/9/2015 8:49 PM, Joel Rees wrote:
> On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald <Martin@lichtvoll.de> wrote:
>> Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
>>> On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
>>>> Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
>>>>> Just ensure you're using good security practices - don't allow root
>>>>> login, use long, random passwords, etc.  I also use a random character
>>>>> strings for the login ids, as well as passwords  - just one more thing
>>>>> for the hackers to have to figure out how to get around.
>>>>
>>>> Only allow SSH key based logins. Of course, only after you copied a public
>>>> key onto the machine with ssh-copy-id.
>>>>
>>>> And have SSH keys with *strong* passphrases, to protect against someone
>>>> stealing your key. Use ssh-agent wisely only on trusted machines.
>>>
>>> SSH password logins are just as safe. 20 characters gives a strong
>>> password for use on trusted machines. There is no need to worry about
>>> it being stolen because it is in your memory,
>>
>> I think SSH keys are safer, cause there is no password at all that can be
>> brute forced.
> 
> What do you mean by that?
> 
>> Okay, one can try to guess the key, but try that with a 4096 bit
>> key.
> 
> Hmm.
> 
> 10 characters, 6 to 7 bits per character, that's 60 bits.
> 
> If the bits are truly random, straight brute-force will take, on
> average, half of 2^60 attempts.
> 
> We can hold the integer 2^59 in a C variable on most recent desktops,
> but if we have bc (dc if you like post-fix), we can do this on even 32
> bit CPUs:
> 
> 576460752303423488 (base ten)
> 
> At one milion attempts per second, that's 5764607523034 seconds, or
> 182678 CPU-years.
> 
> There's no way that's going to happen on-line, if the password is
> truly random, and not randomly a password that's a quick permutation
> of common memes or of entries in rainbow tables.
>

Actually, 62 possible characters (upper case, lower case and digits), 10
positions is 62^10 or 839,299,365,868,340,224 possible combinations.

Adding in special characters obviously would increase that.

But there is no way you'll hit a server 1,000,000 times a second trying
to brute force a password.


> I currently use sixteen or more letters in my passwords, don't use
> simple permutations or common phrases (as for the first leter trick),
> use disconnected words from multiple languages. Or use 16 character
> true random passwords for the important stuff.
> 

All good suggestions.

> SSH keys are useful, but you have to keep them somewhere. The real
> danger to good passwords is the off-line attempts, and the passphrase
> you use for your private keystore is potentially subject to off-line
> if your password is.
> 

Yes, keys may actually be less secure than passwords.

Jerry
Reply to: