On 26/3/25 06:48, Jan Claeys wrote:
FWIW: at that rate it takes millions of years to guess an even halfway semi-secure 8-character password, let alone the really secure longer one you_should_ be using.
It's not the random password guess that's a problem. It's the passwords that have been compromised on some website where you re-use your username and password.
Depending on the site compromised the attacker can get your IP address, username, and password. It's always worth a try to see if they work for ssh.
This type of attack may work only in one in a million cases but it's often enough to be useful to a professional hacker.
The basic security policy should be to never expose a password protected service to the internet. First don't expose them at all. Second, if you do have to then use certificates or publc key backed up with MFA.