[CentOS] an actual hacked machine, in a preserved state

m.roth at 5-cent.us m.roth at 5-cent.us
Tue Jan 3 20:32:28 UTC 2012

Bennett Haselton wrote:
> mark wrote:
>>> 1. How will you generate "truly random"? Clicks on a Geiger counter?
>>> There is no such thing as a random number generator.
> That there are 10^21 possible random 12-character alphanumeric passwords
> -- making it secure against brute-forcing -- is a fact, not an opinion.
> To date, *nobody* on this thread has ever responded when I said that
> there are 10^21 possible such passwords and as such I don't think that
> the password can be brute-forced in that way.  Almost every time I said

Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU
"RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are pseudo-random.
If someone has any idea what the o/s is, they can guess which
pseudo-random generator you're using, and can try different salts. Someone
here posted a link to the Rainbow tables, and precomputed partial lists.
> Again: Do you think I'm wrong that if you use a 12-character mixed-case
> alphanumeric password, then switching to sshkeys or using fail2ban will
> not make the system any more secure?  If you think I'm wrong, why?  What
> is the exact scenario that you think those would prevent?

Without fail2ban, or something like it, they'll hit your system thousands
of times an hour, at least. Sooner or later, they'll get lucky.

But I suppose you'll ignore this, as well.


More information about the CentOS mailing list