On 02/03/2015 03:44 PM, Always Learning wrote: > There should be a basic defence that when the password is wrong 'n' > occasions the IP address is blocked automatically and permanently > unless it is specifically allowed in IP Tables. As has been mentioned, fail2ban does this. However, the reason you want a password that is not easily bruteforced has nothing to do with this, and all bruteforce attempts cannot be blocked by this method. Scenario: 1.) There's some sort of security vulnerability that allows an intruder to read an arbitrary file. This type of vulnerability (whether it be in php, glibc, bash, apache httpd, or whatever) is not rare. 2.) Attacker uses said vulnerability to exfiltrate /etc/shadow. 3.) Attacker uses a large graphics card's GPU power, harnessed with CUDA or similar, to run millions of bruteforce attempts per second on the exfiltrated /etc/shadow, on their computer (not yours). 4.) After a few hours, attacker has your password (or at least a password that hashes to the same value as your password), after connecting to your system only once. Now, there are the slow bruteforcers running out there, but those are not the droids this change is looking for. By being 'encouraged' to have a difficult to bruteforce password from the very first, you have better security even when the attacker exfiltrates /etc/shadow or other password hash table (I say 'when' and not 'if' here). And the bar for what qualifies as a secure password (from the point of view that the attacker has your hashed password in hand and is bruteforcing on their equipment) is continually rising as compute power increases.