On 12/30/2011 11:02 PM, Alex Milojkovic wrote: > I think the best password policy is the one you've never told anyone and never posted on a public mailing list. > > How many of you out there know of cases where administrators' passwords were compromised by brute force? > Can we take a count of that? I know of plenty ... people contact security at centos.org all the time after having their machines compromised by brute force. Here are a couple of articles for you to read: http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > > I believe in passwords. I don't believe in PKI. > It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it. > PKI is convenience and if your password is 20-30 characters it will take long time to break it. > > Password crack estimator > http://www.mandylionlabs.com/documents/BFTCalc.xls > > Spreadsheet is safe (take my word for it) ha,ha > > Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen. You don't need a botnet of 1000 PCs ... you only need a couple of graphics cards. > > > -Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111231/3b870cb9/attachment-0005.sig>