On 12/29/2011 03:53 PM, 夜神 岩男 wrote: > On 12/29/2011 10:21 PM, Marko Vojinovic wrote: >> On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: >>> Am 29.12.2011 12:56, schrieb Leonard den Ottolander: >>>> Hello Reindl, >>>> >>>> On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: >>>>> Am 29.12.2011 09:17, schrieb Bennett Haselton: >>>>>> Even though the ssh key is more >>>>>> random, they're both sufficiently random that it would take at least >>>>>> hundreds of years to get in by trial and error. >>>>> >>>>> if you really think your 12-chars password is as secure >>>>> as a ssh-key protcected with this password you should >>>>> consider to take some education in security >>>> >>>> Bennett clearly states that he understands the ssh key is more random, >>>> but wonders why a 12 char password (of roughly 6 bits entropy per byte >>>> assuming upper& lower case characters and numbers) wouldn't be >>>> sufficient. >>> >>> so explain me why discuss to use or not to use the best >>> currently availbale method in context of security? >> >> Using the ssh key can be problematic because it is too long and too random to >> be memorized --- you have to carry it on a usb stick (or whereever). This >> provides an additional point of failure should your stick get lost or stolen. >> Human brain is still by far the most secure information-storage device. :-) >> >> It is very inconvenient for people who need to login to their servers from >> random remote locations (ie. people who travel a lot or work in hardware- >> controlled environment). >> >> Besides, it is essentially a question of overkill. If password is not good >> enough, you could argue that the key is also not good enough --- two keys (or >> a larger one) would be more secure. Where do you draw the line? >> >> Best, :-) >> Marko > > Hi Marko! > What about IC cards? I use that a lot, and its reduced my need for a > password to something tiny (6 numbers) and requires a physical key (my > card). I have the root certificates, private keys, etc. stored offline > just in case my card goes nuts, which has happened before, but I've > never had a problem with this. > > When traveling I log in to my home server and work servers with my > laptop. Its really a *lot* easier than using a bunch of pasword schemes. > I was initially worried that I'd run into a situation where I'd either > lose my card traveling, or it would get crushed, or whatever -- but that > hasn't happened in 5 years. What has happened in 5 years of doing this > is intermittent network outages, work server crashing, web applications > failing, database corruption, etc. > > So from experience (mine and coworkers, at least), it is a lot more > likely that problems will arise from totally different vectors than > having ssh keys and ic cards making life complicated -- because from > this user's perspective its made things a LOT simpler. > > But it requires a bit of study. Which most people don't do. More to the > point most people don't even read popups on the screens, even the big > red scary ones, so... > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > I like to use serial numbers from MB, HDD, etc., as passwords. I never use normal words for my passwords, and few other users (with ssh/cli access) are carefully checked for their passwords. If this formula is true "(1/2 . 2 ^ 54 . 1s / 10)" for 9 *random* character password, then 0.5 * 18014398509481984 /10 gives 900719925474099 seconds to crack it, or 10424999137 days per attacker. If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that never attacked any denyhosts or fail2ban server in recent time. So for army of 10,000 attacker PC's, bruteforce ssh needs 1042499 days, or 2856 years to crack it. Is this correct figure? -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant