annoying brute force attack attempt using ssh

Patrick O'Callaghan pocallaghan at gmail.com
Fri May 16 14:01:22 UTC 2008


On Fri, 2008-05-16 at 15:23 +0200, Manuel Aróstegui wrote:
> El jue, 15-05-2008 a las 14:41 -0700, Wolfgang S. Rupprecht escribió:
> > "jeff emminger" <jemminger at gmail.com> writes:
> > > isn't password authentication insecure?  why not set
> > > "PasswordAuthentication no" and use ssh keys, and maybe port-knocking
> > > too
> > 
> > My feeling exactly.  You have no control over how stupid a password
> > users will pick.  The only control you have is to not allow passwords
> > in the first place and insist on at least a 1k-bit (hopefully random)
> > key.
> 
> Although, you can force them to create passwords with numbers, something
> like, for instance,  at least 2 numbers and one alphanumeric characters.
> That would help a wee bit to avoid easy passwords that may be broken
> with a basic brute force attack.

Not really. It used to be the case that substituting '1' for 'i', '3'
for 'e', etc. was a good move, but modern password crackers are wise to
this sort of thing. If you don't want a completely random password
(which you then write down and lose :-) my usual recommendation is to
combine two random words with something non-alphanumeric in between,
e.g. lentil*highway. This approximately squares the difficulty of a
brute-force search. Play around with misspellings, words from two or
more different languages, etc.

Of course for really important stuff I keep my random passwords in an
encrypted database on my Palm Pilot (*not* the builtin "security" but a
third-party app).

poc




More information about the fedora-list mailing list