2015/01/13 5:17 "Brian" <ad44@cityscape.co.uk>:
>
> On Sun 11 Jan 2015 at 16:43:34 -0700, Bob Proulx wrote:
>
> > Brian wrote:
> > > Bob Proulx wrote:
> > > > Complete agreement. I want to go further and say that a password that
> > > > you can remember without needing to write it down is probably not a
> > > > good password.
> > >
> > > Security of an ssh login is aimed at allowing access to some but denying
> > > it to others. An authorised user who cannot remember his 20 character
> > > password has experienced a security failure.
> >
> > Security is the part of the system designed to make it not only hard
> > to use but the design goal is to prevent it from being used.
>
> Seeing that my argument that enforcing (if it is possible) an
> unmemorable password is not in the best interests of security doesn't
> gain any tracton, let me try a different tack.
>
> The password
>
> TwasBrilligAndTheSlithyToves
TwasNotBrilligNAND
might have been a stronger password until we talked about these. Both are dead meat now.
Or perhaps
tVaS nicht BrIlLiG NAND,
although it, too, should be considered dead meat now that we have mentioned it in public. Do a bit of l33t$peak on it and it could have been strong enough to use. If I had refrained from mentioning it, at least.
> strikes me as a pretty good one for an ssh login. (I have capitalised
> some letters for readability, not to add complexity). Personally, I find
> it easy to remember and associate with ssh and my account. I cannot see
> why it is not a good password for me.
Just remember that fail2ban only does temporary tarpitting, and only if the attacks are repeated to quickly.
> The automated probes wouldn't get close to cracking it.
Think of a bot farm continuously hitting a crowd of targets, once a second, cycling through spoofed IPs, using informed strategies instead of pure brute force. If they can spoof one IP, they can spoof another.
> The danger might
> be a directed attack - from friends, associates, colleagues etc. If they
> knew about my fixation on Lewis Carroll they might have a go at breaking
> in.
If they think you have something they want, people you don't know will find out about your interests. Blog posts, posts here, etc.
> Actually, it would be ok as a password for banking access too. There
> surely cannot be a banking site which does not take action after a
> number of failed logins. Maybe not using fail2ban, but a similar
> approach which protects both parties.
Means you end up going to the bank in person, to get the lock removed.
Banks aren't perfect, though. You could come to considerable trouble should, for instance, a bank employee decide to do a little investigating passwords in her spare time, without permission.
But it's your bank account. Go for it.
Joel Rees
Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.