Bennett Haselton wrote: > mark wrote: <snip> >>> 1. How will you generate "truly random"? Clicks on a Geiger counter? >>> There is no such thing as a random number generator. <snip> > That there are 10^21 possible random 12-character alphanumeric passwords > -- making it secure against brute-forcing -- is a fact, not an opinion. > > To date, *nobody* on this thread has ever responded when I said that > there are 10^21 possible such passwords and as such I don't think that > the password can be brute-forced in that way. Almost every time I said Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are pseudo-random. If someone has any idea what the o/s is, they can guess which pseudo-random generator you're using, and can try different salts. Someone here posted a link to the Rainbow tables, and precomputed partial lists. <snip> > Again: Do you think I'm wrong that if you use a 12-character mixed-case > alphanumeric password, then switching to sshkeys or using fail2ban will > not make the system any more secure? If you think I'm wrong, why? What > is the exact scenario that you think those would prevent? Without fail2ban, or something like it, they'll hit your system thousands of times an hour, at least. Sooner or later, they'll get lucky. But I suppose you'll ignore this, as well. mark