On 1/9/2015 8:49 PM, Joel Rees wrote: > On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald <mar...@lichtvoll.de> > wrote: >> Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: >>> On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: >>>> Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: >>>>> Just ensure you're using good security practices - don't allow root >>>>> login, use long, random passwords, etc. I also use a random character >>>>> strings for the login ids, as well as passwords - just one more thing >>>>> for the hackers to have to figure out how to get around. >>>> >>>> Only allow SSH key based logins. Of course, only after you copied a public >>>> key onto the machine with ssh-copy-id. >>>> >>>> And have SSH keys with *strong* passphrases, to protect against someone >>>> stealing your key. Use ssh-agent wisely only on trusted machines. >>> >>> SSH password logins are just as safe. 20 characters gives a strong >>> password for use on trusted machines. There is no need to worry about >>> it being stolen because it is in your memory, >> >> I think SSH keys are safer, cause there is no password at all that can be >> brute forced. > > What do you mean by that? > >> Okay, one can try to guess the key, but try that with a 4096 bit >> key. > > Hmm. > > 10 characters, 6 to 7 bits per character, that's 60 bits. > > If the bits are truly random, straight brute-force will take, on > average, half of 2^60 attempts. > > We can hold the integer 2^59 in a C variable on most recent desktops, > but if we have bc (dc if you like post-fix), we can do this on even 32 > bit CPUs: > > 576460752303423488 (base ten) > > At one milion attempts per second, that's 5764607523034 seconds, or > 182678 CPU-years. > > There's no way that's going to happen on-line, if the password is > truly random, and not randomly a password that's a quick permutation > of common memes or of entries in rainbow tables. >
Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. > I currently use sixteen or more letters in my passwords, don't use > simple permutations or common phrases (as for the first leter trick), > use disconnected words from multiple languages. Or use 16 character > true random passwords for the important stuff. > All good suggestions. > SSH keys are useful, but you have to keep them somewhere. The real > danger to good passwords is the off-line attempts, and the passphrase > you use for your private keystore is potentially subject to off-line > if your password is. > Yes, keys may actually be less secure than passwords. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b08c3d.4090...@gmail.com
