scott wrote: > Jerry Stuckle wrote: > > Actually, 62 possible characters (upper case, lower case and digits), 10 > > positions is 62^10 or 839,299,365,868,340,224 possible combinations. > > > > Adding in special characters obviously would increase that. > > > > But there is no way you'll hit a server 1,000,000 times a second trying > > to brute force a password. Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. > >> I currently use sixteen or more letters in my passwords, don't use I use 10 for most sites but longer for banking sites. Except for Schwab which I have shamed here before for silently truncating all passwords to 8 characters! > >> simple permutations or common phrases (as for the first leter trick), > >> use disconnected words from multiple languages. Or use 16 character > >> true random passwords for the important stuff. For quite some time now I have only used completely randomly generated passwords. I can't possibly remember them. I use a password storage system unique to my environment. I don't remember them. I write them down. I copy them from my storage when I need them. I use cut-n-paste and so this is actually reasonably convenient everywhere but the tablet. (None of the input methods on the tablet are convenient to me.) This allows me to change passwords at any time without causing me any stress. $ pwgen -s 10 3 orLz4zqMl8 7dCrxj10VT PYzdfX37K0 > >> SSH keys are useful, but you have to keep them somewhere. The real > >> danger to good passwords is the off-line attempts, and the passphrase > >> you use for your private keystore is potentially subject to off-line > >> if your password is. > > > > Yes, keys may actually be less secure than passwords. Yes. The server must trust that the user isn't hacked. Just the same as when using passwords the server must trust that the user didn't let their password escape. It is the same trust needed. If my laptop (with a fully encrypted file system) is stolen then I am definitely going to know almost immediately. (I live on my laptop.) I am immediately going to remove that ssh key from my servers. It will be useless immediately. Well before an attacker can crack both the file system encryption and the ssh rsa key encryption. Both of which I can only assume will eventually happen and I must take appropriate actions due to it. > If you have a dedicated hacker, or hackers, time is on their side. I > would much rather use a key with a passphrase. There are two different areas under discussion here. They are completely different. Yet in this thread people have been confusing them. One is when a database of hashed accounts and passwords has been exposed. An offline cracker has all of the time in the world to crack those hashes. The hashes themselves may be strong or weak. Time and resources are on their side for an offline attack. An offline attack already needs a breach and data exposure first. But that is not what we have been talking about. One is trying to crack an online system by either dictionary or brute force attack. This is what we have been talking about when talking about passwords and ssh rsa keys. The attacker does NOT have time on their side. The attacker is at an extreme disadvantage. Fail the password several times and the connection must be restart which is done specifically to slow down the attacker. Used with fail2ban and after several failed attempts the attacker is banned for ten minutes. In that situation it is probably possible to try a few dozen passwords every ten minutes from a single IP. Even using a distributed botnet attack only scales things linearly with the number of bots. A strong 10 character password with 62+^10 possible combinations as Jerry has calculated out is not practically possible to brute force from an online system. It would take longer than the heat death of the universe. We will all have moved to IPv512 before the odds of success turn into their favor. Bob
Attachment:
signature.asc
Description: Digital signature