Em 27-06-2014 19:48, Stuart Henderson escreveu: > "yes, cracking a stolen hash is faster, but it's not what the average user > should worry about" > > I disagree, that is *exactly* what the average user should worry about. > And knowing that some people use xkcd style passwords, who would start on > a brute force attack before they've finished with a decent wordlist run? For someone to be able to stole a hash, they already got into your machine. I believe that, at this point, you have much more to worry than just your password being crackable. The wordlist run as you mentioned, will get the weak passwords, based on one, two or tree small words with special chars variations. But with four, or five big words, things start to get a little more complicated. Specially if you throw in the mix a foreign language word. > Using a long phrase is *much* worse than an equally long string of random > characters. But of course most people can't remember the latter. It's a trade > off. Yes, that was entirely the point of the comic. The trade off. But, the entropy of a letter "a" is the same of "@". As I mentioned, and someone asked me off list, the most modern password cracking tools, know all these variations people use. This one: http://hashcat.net/oclhashcat/ is the better AFAIK. So, with that in mind, using these special chars and punctuation barely keep your password from being hacked. Specially if you are using a word and only changing some letters with them. > /var/log/authlog on pretty much any machine with exposed ssh tells > a different story ... > > (not that you really want people even getting as far as being able > to attempt passwords..) > Well, pf come in handy on these cases. In other systems I use fail2ban. It's worse than pf, but it is what can be done with iptables on linux anyway. And there are options for not needing to keep your ssh exposed. I never got a machine hacked, even when not using any mitigation techniques.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC