On 1/3/2012 12:32 PM, m.roth at 5-cent.us wrote: > Bennett Haselton wrote: >> mark wrote: > <snip> >>>> 1. How will you generate "truly random"? Clicks on a Geiger counter? >>>> There is no such thing as a random number generator. > <snip> >> That there are 10^21 possible random 12-character alphanumeric passwords >> -- making it secure against brute-forcing -- is a fact, not an opinion. >> >> To date, *nobody* on this thread has ever responded when I said that >> there are 10^21 possible such passwords and as such I don't think that >> the password can be brute-forced in that way. Almost every time I said > Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU > "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are pseudo-random. > If someone has any idea what the o/s is, they can guess which > pseudo-random generator you're using, and can try different salts. I generally change them from the values assigned by the hosting company, and just bang my fingers around on the keyboard, with the shift key randomly on and off for good measure :) This also removes the possibility that an incompetent hosting company will store their own copy of the password somewhere that it can be compromised. Even when that possibility is very unlikely, it's still astronomically more likely than the attacker guessing the password by brute force. But even if someone did not do that, don't most Linux distros a good crypto-random number generator for generating new passwords, when they're picked by the machine and not the user? You can use salts that depend on the low bits of high-precision performance counters, and other values that are impossible for an attacker to predict. If any Linux implementation is using anything less than a cryptographically strong generator for creating passwords, like I said it's not my problem, but I would take that up with the developers. > Someone > here posted a link to the Rainbow tables, and precomputed partial lists. > <snip> >> Again: Do you think I'm wrong that if you use a 12-character mixed-case >> alphanumeric password, then switching to sshkeys or using fail2ban will >> not make the system any more secure? If you think I'm wrong, why? What >> is the exact scenario that you think those would prevent? > Without fail2ban, or something like it, they'll hit your system thousands > of times an hour, at least. Sooner or later, they'll get lucky. OK do you *literally mean that* -- that with 10^21 possible passwords that an attacker has to search, I have to worry about the attacker "getting lucky" if they're trying "thousands of times per hour"? > But I suppose you'll ignore this, as well. > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos