[CentOS] Another Fedora decision
Warren Young
wyml at etr-usa.com
Thu Feb 5 00:43:42 UTC 2015
> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <kahlil.hodgson at dealmax.com.au> wrote:
>
> On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com> wrote:
>> When the hashes are properly salted, the only option is brute force. All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues.
>
> Kinda highlights that 'time' is important here.
Yes, which is why a properly-designed remote credential checking system throttles login attempts: to buy time.
Safes and vaults aren’t rated “secure” or “insecure,” they’re rated in terms of minutes. This one here is a 5 minute safe, and that one over there is a 15 minute safe. You buy the one that gives you the time you need to react appropriately to an attack.
> An 8 character password might just nudge the
> probabilities in your favour and protect against a drive by attack.
>
> Does that sound like a reasonable case to protect against?
That’s exactly what this change does.
This calculator will help you to explore the problem:
https://www.grc.com/haystack.htm
Put in something like “Abc123@#” to turn on all the green lights to see the effect of a password that will pass the new rules.
SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this calculator assumes, so we actually have a few orders of magnitude more security. Not that it matters, given that it reports that my example password would take 2.13 thousand centuries to crack.
More information about the CentOS
mailing list