Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Brian <ad44@cityscape.co.uk>
Date: Mon, 12 Jan 2015 20:17:10 +0000
Message-id: <[🔎] 12012015193541.dea84e875a35@desktop.copernicus.demon.co.uk>
In-reply-to: <[🔎] 20150111164247769857095.NoCcsPlease@bob.proulx.com>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 7851846.GjTCVcmPuo@merkaba> <[🔎] 09012015001632.a7c9236b8b1d@desktop.copernicus.demon.co.uk> <[🔎] 3714920.DLpo8KHxcl@merkaba> <[🔎] CAAr43iMgLrUtSiitri17xOTaZ0Qvwip5eYMc1Z-Q+vSd_SSteg@mail.gmail.com> <[🔎] 54B08C3D.4090404@gmail.com> <[🔎] 54B09B89.5060906@gmx.com> <[🔎] 20150110150737298308714.NoCcsPlease@bob.proulx.com> <[🔎] 11012015175351.d973d8849991@desktop.copernicus.demon.co.uk> <[🔎] 20150111164247769857095.NoCcsPlease@bob.proulx.com>

On Sun 11 Jan 2015 at 16:43:34 -0700, Bob Proulx wrote:

> Brian wrote:
> > Bob Proulx wrote:
> > > Complete agreement.  I want to go further and say that a password that
> > > you can remember without needing to write it down is probably not a
> > > good password.
> > 
> > Security of an ssh login is aimed at allowing access to some but denying
> > it to others. An authorised user who cannot remember his 20 character
> > password has experienced a security failure.
> 
> Security is the part of the system designed to make it not only hard
> to use but the design goal is to prevent it from being used.

Seeing that my argument that enforcing (if it is possible) an
unmemorable password is not in the best interests of security doesn't
gain any tracton, let me try a different tack.

The password

  TwasBrilligAndTheSlithyToves

strikes me as a pretty good one for an ssh login. (I have capitalised
some letters for readability, not to add complexity). Personally, I find
it easy to remember and associate with ssh and my account. I cannot see
why it is not a good password for me.

The automated probes wouldn't get close to cracking it. The danger might
be a directed attack - from friends, associates, colleagues etc. If they
knew about my fixation on Lewis Carroll they might have a go at breaking
in.

Actually, it would be ok as a password for banking access too. There
surely cannot be a banking site which does not take action after a
number of failed logins. Maybe not using fail2ban, but a similar
approach which protects both parties.

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: scott <redhowlingwolves@gmx.com>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: Fwd: Re: Have I been hacked?
Next by Date: Re: Fwd: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread