Here's the qualifying statement I made, in an attempt to preempt pedantic squabbles over my choice of arbitrary figures and oversimplified math: > > I am not a statistician, but Here is a statement intended to startle you into re-examining your position: > > Simplistic probability puts the odds of success > > at 50% - either the attacker gets it right, or they don't. Here's the intended take home message: > >The next guess has the same > > rough odds of being correct as the 100563674th guess. > Yes, you have to worry about a brute force attack succeeding, every hour of every day that you give it a window to knock on. Here is you nitpicking over figures; acknowledging the opportunity for an improvement of several orders of magnitude and disregarding it, stuck in your misconceptions; and wholly missing the point. > Actually, each time you make a guess and it's wrong, the probability of > success goes up slightly for your next guess. Imagine having 10 cups > with a ball under one of them. The probability of turning over the > right cup on the first try is 1/10. If you're wrong, though, then the > probability of getting it right on the next cup goes up to 1/9, and so on. > > But it's all a moot point if there are 10^24 possible passwords and the > odds of finding the right one in any conceivable length of time are > essentially zero. > > > Of course, no amount of guessing will succeed on a system that doesn't > > accept passwords. System security, in terms of probability, seems to be > > an 'every little bit helps' sort of endeavour. > > Well it depends on how literally you mean "every little bit" :) If the > chance of a break-in occurring in the next year from a given attack is 1 > in 10^10, you can reduce it to 1 in 10^20, but it's already less likely > than your data center being hit by a meteorite. The real problem is > that it takes away from time that can be used for things that have a > greater likelihood of reducing the chance of a break-in. If I had taken > the advice about ssh keys at the beginning of the thread, I never would > have gotten to the suggestion about SELinux. > > Bennett > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos I'm moving on from this - much better men than I have tried and failed here.