BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: bogstad at pobox.com (Bill Bogstad)
- Date: Thu, 2 Feb 2017 14:36:56 -0500
- In-reply-to: <e480dec0-22f0-99be-dbc0-fa3f75ddd1fe@gmail.com>
- References: <iydoKFG1q6EvZNl6T2sztfNEyMK3eE7jp_2ZXrcPTgVFK1IPE5deLwZcViB_xDQMcb16enHDIBp9gek18AIxu5VrLtdgSHK6qEOO91dh2nA=@protonmail.com> <20170131014651.GA21915@newtao.randomstring.org> <1cca093a-2f5b-c105-0288-5f435c11104e@borg.org> <e94de5ff-7644-d501-ccb4-fd4a6b32ff7a@napc.com> <565bdd82-c70e-3e64-6786-63f9b8de12da@borg.org> <e480dec0-22f0-99be-dbc0-fa3f75ddd1fe@gmail.com>
On Wed, Feb 1, 2017 at 12:03 PM, Richard Pieri <richard.pieri at gmail.com> wrote: > On 1/31/2017 8:48 AM, Kent Borg wrote: >> "15-ladder-bamboo-sierra" is an easy password to remember and type, yet >> it has 40-bits of entropy. Even if some bizarrely configured sshd > > It also uses dictionary words. Using dictionary words (read: not random) > reduces the effective entropy of the key. My quick estimate is that just the 3 words in his password gives him something close to 40 bits. That's assuming a dictionary size of 10000 words. If you assume that an attacker has to do a rate-limited on-line attack to search that 40bit space, that seems adequate to me. On the other hand, if you allow for the possibility of an attacker obtaining the password hash file and attacking it offline; then maybe that isn't enough. Kent's concern seems to be that because your SSH private key file is encrypted, many people will put it lots of places where they shouldn't. If just one of those places is compromised even briefly the attacker can do an off-line attack against the key file. Aside, since others have noted their non-standard security procedures... I regularly reuse passwords between different systems. Specifically, systems/web sites in which I have no significant stake. I really don't care if someone who manages to crack the InfoWorld web site can then read the NY Times using the same credentials. Each financial and email account on the other hand gets a different password. Bill Bogstad > > -- > Rich P. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss
- References:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):