On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson kahlil.hodgson@dealmax.com.au wrote:
On 5 February 2015 at 10:36, Warren Young wyml@etr-usa.com wrote:
When the hashes are properly salted, the only option is brute force. All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues.
Kinda highlights that 'time' is important here.
Yes, which is why a properly-designed remote credential checking system throttles login attempts: to buy time.
Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of minutes. This one here is a 5 minute safe, and that one over there is a 15 minute safe. You buy the one that gives you the time you need to react appropriately to an attack.
An 8 character password might just nudge the probabilities in your favour and protect against a drive by attack.
Does that sound like a reasonable case to protect against?
That’s exactly what this change does.
This calculator will help you to explore the problem:
https://www.grc.com/haystack.htm
Put in something like “Abc123@#” to turn on all the green lights to see the effect of a password that will pass the new rules.
SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this calculator assumes, so we actually have a few orders of magnitude more security. Not that it matters, given that it reports that my example password would take 2.13 thousand centuries to crack.