> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <kahlil.hodgson at dealmax.com.au> wrote: > > On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com> wrote: >> When the hashes are properly salted, the only option is brute force. All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues. > > Kinda highlights that 'time' is important here. Yes, which is why a properly-designed remote credential checking system throttles login attempts: to buy time. Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of minutes. This one here is a 5 minute safe, and that one over there is a 15 minute safe. You buy the one that gives you the time you need to react appropriately to an attack. > An 8 character password might just nudge the > probabilities in your favour and protect against a drive by attack. > > Does that sound like a reasonable case to protect against? That’s exactly what this change does. This calculator will help you to explore the problem: https://www.grc.com/haystack.htm Put in something like “Abc123@#” to turn on all the green lights to see the effect of a password that will pass the new rules. SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this calculator assumes, so we actually have a few orders of magnitude more security. Not that it matters, given that it reports that my example password would take 2.13 thousand centuries to crack.