> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <[email protected]>
> wrote:
>
> On 5 February 2015 at 10:36, Warren Young <[email protected]> wrote:
>> When the hashes are properly salted, the only option is brute force. All
>> having /etc/shadow does for you is let you make billions of guesses per
>> second instead of 5 guesses per minute, as you get with proper throttling on
>> remote login avenues.
>
> Kinda highlights that 'time' is important here.
Yes, which is why a properly-designed remote credential checking system
throttles login attempts: to buy time.
Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of
minutes. This one here is a 5 minute safe, and that one over there is a 15
minute safe. You buy the one that gives you the time you need to react
appropriately to an attack.
> An 8 character password might just nudge the
> probabilities in your favour and protect against a drive by attack.
>
> Does that sound like a reasonable case to protect against?
That’s exactly what this change does.
This calculator will help you to explore the problem:
https://www.grc.com/haystack.htm
Put in something like “Abc123@#” to turn on all the green lights to see the
effect of a password that will pass the new rules.
SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this
calculator assumes, so we actually have a few orders of magnitude more
security. Not that it matters, given that it reports that my example password
would take 2.13 thousand centuries to crack.
_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos
