Bennett Haselton wrote:
On 1/3/2012 12:32 PM, m.roth@5-cent.us wrote:
Bennett Haselton wrote:
mark wrote:
<snip> >>> 1. How will you generate "truly random"? Clicks on a Geiger counter? >>> There is no such thing as a random number generator.
<snip>
To date, *nobody* on this thread has ever responded when I said that there are 10^21 possible such passwords and as such I don't think that the password can be brute-forced in that way. Almost every time I said
Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are pseudo-random. If someone has any idea what the o/s is, they can guess which pseudo-random generator you're using, and can try different salts.
I generally change them from the values assigned by the hosting company, and just bang my fingers around on the keyboard, with the shift key randomly on and off for good measure :) This also removes the
Real random, there. Do you also use a Dvorak keyboard, or a std. querty? You want to be there aren't algorithms out there for guessing that? Certainly, until this minute, I hadn't thought of it, but I'll be there is.
possibility that an incompetent hosting company will store their own
Hosting co? You're hosted somewhere? And an admin there can't get into your snapshot and add a back door?
copy of the password somewhere that it can be compromised. Even when that possibility is very unlikely, it's still astronomically more likely than the attacker guessing the password by brute force.
Question 1: why is it that brute force attacks go on, day and night, everywhere? I see plenty of them here, when fail2ban tells me it's banning an IP.
But even if someone did not do that, don't most Linux distros a good crypto-random number generator for generating new passwords, when they're picked by the machine and not the user? You can use salts that
They're all pseudo-random. Unless, maybe, you can get truly random with quantum computing, all you can ever do is pseudo-random. <snip
Without fail2ban, or something like it, they'll hit your system thousands of times an hour, at least. Sooner or later, they'll get lucky.
OK do you *literally mean that* -- that with 10^21 possible passwords that an attacker has to search, I have to worry about the attacker "getting lucky" if they're trying "thousands of times per hour"?
But I suppose you'll ignore this, as well.
Oh, and your system wasn't compromised, so all of us are wrong, and you're correct.
This thread's killfiled for me - it's pointless.
mark