ssh: Permission denied
Wolfgang S. Rupprecht
wolfgang.rupprecht+gnus200612 at gmail.com
Sat Dec 23 21:20:45 UTC 2006
"Dylan Semler" <dylan.semler at gmail.com> writes:
> However, if you use an 8-digit password with capital and lowercase
> letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) = 8^92 =
> 1.21e83 possible passwords. Since ssh waits about a second after each
> incorrect password and there have been only 3.32e17 seconds in the history
> of the universe, it seems scritcly /impossible/ for a password to be
> guessed. So the risk must not be from password-bots. What is the risk
> then?
This calculation is only correct if and only if the letters and
numbers are truly chosen with uniform distribution. In practice
people tend to choose mostly from the easy to type letters. The
result is a password that is composed of mostly easy to type letters
with perhaps one or two uppers, numerics or punctuation. The search
space for that is quite a bit smaller than the full 92^8 of your
example. My gut feel is that it would be well below 26^8 because even
of the lower case, many are chosen with the same probability.
Personally I don't believe folks should be using passwords for
anything but local logins. For ssh a 1k-bit rsa key is going to be a
fair bit stronger and one doesn't have to worry about foolish users
that pick their wife's name or pet's name as the password.
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
More information about the fedora-list
mailing list