lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTimhjSHImTHa8c1-N-YcgRxqUYyN_BzVcRPZJZzb@mail.gmail.com>
Date: Fri, 18 Jun 2010 14:25:35 +0200
From: Bob Onformon <bob.onformon@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

> Compare the work effort needed by an attacker to brute-force a password (I mean,
> c'mon Paul - these ssh woodpeckers wouldn't keep hammering if it didn't work
> once in a while) with how much woodpecking would be needed to brute-force
> a key-authenticated login.

It might be more secure if done properly, but that doesn't mean that
using password are insecure.
I bet that even with root-login enabled and using a strong password 8
characters or more, it's more likely that you die in traffic, than
that someone will brute-force your sshd.

Take a password consisting of 12 characters taken from 72 distinct
characters set. The attacker are able to test 100 password pr sec
against your server. He will still need 230000 years to test every
possible password.

There are more important things to worry about...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ