Re: Password policy.
On Wed 14 Nov 2018 at 21:21:54 +1100, Andrew McGlashan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 14/11/18 8:44 pm, Brian wrote:
> > On Tue 13 Nov 2018 at 18:50:35 -0800, email@example.com wrote:
> >> https://en.wikipedia.org/wiki/Brute-force_attack
> > Security is already breached if a password database can be attacked
> > in that way. A six character (upper and lower case) login password
> > would take about 500 years to force for someone at the keyboard.
> > This assumes three seconds per try without coffee breaks.
> > I'm the cautious type, so use ten character passwords.
> Well, yes.... but some breaches are from remote machines that may be
> able to life the /etc/shadow file due to a vulnerability that isn't
> fixed and if that's all they have, then they don't yet need more
> direct access. If they have /etc/shadow, then they can work on
> off-line brute force.
There are two situations I can think of which could lead to /etc/shadow
1. The machine's administrator causes it to happen.
2. There is a flaw in one the OS's components.
The least said about cause 1, the better. There is nothing which can be
The bug arising in 2. would soon be discovered and a fix rapidly devised
and distributed. There is nothing much to worry about here.