| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jun 2010 14:25:35 +0200 From: Bob Onformon <bob.onformon@...il.com> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: targetted SSH bruteforce attacks > Compare the work effort needed by an attacker to brute-force a password (I mean, > c'mon Paul - these ssh woodpeckers wouldn't keep hammering if it didn't work > once in a while) with how much woodpecking would be needed to brute-force > a key-authenticated login. It might be more secure if done properly, but that doesn't mean that using password are insecure. I bet that even with root-login enabled and using a strong password 8 characters or more, it's more likely that you die in traffic, than that someone will brute-force your sshd. Take a password consisting of 12 characters taken from 72 distinct characters set. The attacker are able to test 100 password pr sec against your server. He will still need 230000 years to test every possible password. There are more important things to worry about... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists