|
|
On Fri, 25 Jul 2008 20:27:16 +0100, Nix wrote:
> On 25 Jul 2008, Jonathan Buzzard spake thusly:
>> On Tue, 22 Jul 2008 08:39:45 +0100, Nix wrote:
>>> No random password that's short enough for you to remember it can
>>> possibly have enough entropy to be secure. Keys have as much entropy as
>>> you like (depending on how long you make them), with no human memory
>>> burden, and the shortest has far more entropy than the longest password.
>>
>> Really, as secure as those Debian generated keys...
>
> Well, duh, if your cryptosystem's PRNG is broken you're sort of screwed.
> If you always pick passwords whose first four letters are 'A' you're
> screwed too.
>
The point being that keys are not some panacia and those that think they
are, are silly.
>> The point is that nobody is doing brute force ssh attacks. In nearly a
>
> Excellent. That's an even better reason to use a key rather than a
> password: lots of people attack passwords, nobody attacks keys.
>
Wrong, people are currently attacking keys as well...
>> decade of having dozens of public internet facing machines on well
>> connected networks (that in todays terms means in excess of 1Gbps upstream
>> internet connected bandwidth) have I ever seen such an attack.
>
> I've seen a lot of dictionary attacks, but that's all remotely. I've
> seen brute-force attacks from hostile insiders over a local net (yes,
> it was obvious, but principally because he didn't clean the logs so the
> disk filled up with error messages: he did it at night while rolling
> compiles were running so the CPU usage wouldn't have been very
> noticeable. We did notice that the compiles were taking longer...)
>
You where allowing more than one login attempt per second...
>> The reality is that it is simply not a feasible proposition. If you just
>> stick to an eight character password with a mixture of upper and lower
>> letters plus the digits, that is 218 trillion possible passwords. How do
>
> And you have to *remember* them. Nobody does. Everyone either writes
> them down or carries them around on a USB stick. If they do that they
> can carry around a key instead.
>
Funny I seem to remember random passwords quite easily. In fact 99.99% of
people I know seem to be able to remember random sequences of numbers and
digits without problem. They are called telephone numbers and postcodes.
>> you propose brute forcing that, especially if I rate limit login attempts
>> to one per second. It would take you the best part of 7000 millennium.
>
> Most passwords have *dramatically* less entropy than you suggest for the
> simple reason that nobody can remember gibberish passwords. This is so
> well known it's made the national news (along with the news that people
> will give away their passwords --- or at least what they *say* is their
> passwords --- for paltry rewards.)
Do they, none of mine do, and any system admin who cannot pick a random
password and
>> So the added aggravation of carrying a key around buys you zilch additional
>> security in reality.
>
> Passwords are definitely crackable: I've seen it done, over and over again.
> Keys are not, without insane resources.
Only if you pick bunk passwords, just like if you generate bunk keys.
>>> You really need a passworded keyphrase: that way at least you have two
>>> parts of the security mantra: something you have and something you know.
>>> Passwords alone only allow for one of those.
>>
>> No I don't.
>
> OK, so you don't care about security. Great.
>
I do, which is why I have *never* had a compromised system that I have
been responsible for.
>
> What hassle? It's not as if tracking a key is any harder than tracking
> a gibberish password that you can't remember (in fact it's easier because
> you don't need the key to be human-readable, and it's more secure not least
> because you can passphrase it against someone nicking your key: if someone
> nicks your written-down gibberish password you are dead meat.)
Except my gibberish password is not written down anywhere, and I have no
issue remembering it. For anyone who can remember a sequence of eight
random characters, which I maintain is not hard to do, a key buys no
additional worthwhile security and a whole bunch of hassle.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
St. Andrews, United Kingdom.
|
|