Thanks Johnny, Yes if you have console access to the server and can plug in the GPU and/or have access to the password file. Ok let me rephrase myself. How many people have had their passwords cracked on Internet servers by means available to them? In other words gained root access by way of a TCP service. These articles are based on theoretical math and scenarios that are not common. They are saying one billion passwords per second How many servers can handle a million requests per second without DOS, I'd like to have one :) But the reality is that most passwords are taken through flaws in the software run as root or by weak password and obvious user names. Everything else is more or less social engineering in my opinion and shouldn't focus on passwords. In that case no authentication mechanism will be enough, we are just fooling ourselves. If someone can gain physical access to your server you've got other problems, not password problems. It's not the fault of the developer /password mechanism. One weakness in Unix is that root account. Everyone knows it's there and everyone's trying it. When will it be possible to set your own admin username, that'd be nice. In Windows you can rename Administrator which helps. Internet is still an infant. Hopefully sometime soon, perimeter routers will be like border checkpoints. I like you, you get in. I don't like you, you stay out. IP address allocation needs to be done smarter so that geographical regions can be isolated easier. And at some point it probably will be. Internet has facilitated the biggest financial/intellectual losses during such a short time of its existence. I believe that needs to change. Good discussion --Alex -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Johnny Hughes Sent: Saturday, December 31, 2011 6:14 AM To: centos at centos.org Subject: Re: [CentOS] what percent of time are there unpatched exploits against default config? On 12/30/2011 11:02 PM, Alex Milojkovic wrote: > I think the best password policy is the one you've never told anyone and never posted on a public mailing list. > > How many of you out there know of cases where administrators' passwords were compromised by brute force? > Can we take a count of that? I know of plenty ... people contact security at centos.org all the time after having their machines compromised by brute force. Here are a couple of articles for you to read: http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > > I believe in passwords. I don't believe in PKI. > It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it. > PKI is convenience and if your password is 20-30 characters it will take long time to break it. > > Password crack estimator > http://www.mandylionlabs.com/documents/BFTCalc.xls > > Spreadsheet is safe (take my word for it) ha,ha > > Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen. You don't need a botnet of 1000 PCs ... you only need a couple of graphics cards. > > > -Alex