[CentOS] Another Fedora decision

Thu Feb 5 00:43:42 UTC 2015
Warren Young <wyml at etr-usa.com>

> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <kahlil.hodgson at dealmax.com.au> wrote:
> 
> On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com> wrote:
>> When the hashes are properly salted, the only option is brute force.  All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues.
> 
> Kinda highlights that 'time' is important here.

Yes, which is why a properly-designed remote credential checking system throttles login attempts: to buy time.

Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of minutes.  This one here is a 5 minute safe, and that one over there is a 15 minute safe.  You buy the one that gives you the time you need to react appropriately to an attack.

> An 8 character password might just nudge the
> probabilities in your favour and protect against a drive by attack.
> 
> Does that sound like a reasonable case to protect against?

That’s exactly what this change does.

This calculator will help you to explore the problem:

    https://www.grc.com/haystack.htm

Put in something like “Abc123@#” to turn on all the green lights to see the effect of a password that will pass the new rules.  

SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this calculator assumes, so we actually have a few orders of magnitude more security.  Not that it matters, given that it reports that my example password would take 2.13 thousand centuries to crack.