On 12/30/2011 11:02 PM, Alex Milojkovic wrote:
I think the best password policy is the one you've never told anyone and never posted on a public mailing list.
How many of you out there know of cases where administrators' passwords were compromised by brute force? Can we take a count of that?
I know of plenty ... people contact security@centos.org all the time after having their machines compromised by brute force.
Here are a couple of articles for you to read:
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Proces...
http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crac...
I believe in passwords. I don't believe in PKI. It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it. PKI is convenience and if your password is 20-30 characters it will take long time to break it.
Password crack estimator http://www.mandylionlabs.com/documents/BFTCalc.xls
Spreadsheet is safe (take my word for it) ha,ha
Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen.
You don't need a botnet of 1000 PCs ... you only need a couple of graphics cards.
-Alex