On Thu, Jul 21, 2011 at 04:52:43PM GMT, Thomas C. Knoeller [
tck@pretend.net] said the following:
>
> Heh. This touches on the other part of my paranoia with PKI; the
> short passphrase. Imagine that your passphrase encrypted key gets
> loose in the wild.[1] At that point, you can brute force the file
> without anyone knowing you are doing it. No matter how many thousands
> of bits the key itself is, if the passphrase is simple or small
> enough, there is a possibility of it being decrypted. Whereas, if you
> are doing the password checking during the login process, if a failure
> happens, it is logged and you have a chance of seeing the attack
> before to many guesses of the password can be made.
It depends on what type of passphrase you are using. You might think
that a passphrase could be cracked easier, but it turns out that a
sentence is a lot harder to crack than an 8 character password.
I give an example like this on my SSH tutorial here:
http://support.suso.com/supki/SSH_Tutorial_for_Linux#Generating_a_key
An 8 character password that uses a set of characters made from upper
and lowercase, numbers and symbols has 94^8 or 6,095,689,385,410,816
combinations.
Now if you use a 5 word sentence for a passphrase, you are probably
pulling from a vocabulary of 5000 or so words. "For instance this
measly sentence" could be such a passphrase. The number of combinations
rises to 5000^5 or 3,125,000,000,000,000,000, which is 512 times more
combinations than an 8 character password. And you're probably more
likely to remember the passphrase.
If an attacker had to try to crack the passphrase they could either do
it based on combinations of letters, which on a 33 letter sentence would
be about 28^33 combinations. If the attacker had to try combinations of
words in a dictionary, they are probably going ot have to use a
dictionary larger than your vocabulary, so maybe 50,000 words. This
would be 50000^5 to try. Of course, they don't know how many words, so
they may start with 3 words, then 4, then 5, etc.
Here is a summary to give you an idea of how large of numbers we are
talking about:
simple 5 character password combinations (a-z)
26^5 = 11881376 (0.01 seconds)
full alphanumeric 5 character password (a-zA-Z0-9):
62^5 = 916132832 (0.9 seconds)
complex alphanumeric 5 character password (above + all symbols)
94^5 = 7339040224 (7.3 seconds)
3 word passphrase drawing from 2000 word vocabulary
2000^3 = 8000000000 (8 seconds)
simple 8 character password combinations (a-z)
26^8 = 208827064576 (208 seconds)
4 word passphrase drawing from 2000 word vocabulary
2000^4 = 16000000000000 (4.4 hours)
full alphanumeric 8 character password (a-zA-Z0-9):
62^8 = 218340105584896 (2.5 days)
complex alphanumeric 8 character password (above + all symbols)
94^8 = 6095689385410816 (70 days)
5 word passphrase drawing from 2000 word vocabulary
2000^5 = 32000000000000000 (1 year, 5 days)
5 word passphrase drawing from 5000 word vocabulary
5000^5 = 3125000000000000000 (99 years)
The time shown in parens is the maximum time that it would take for a
system capable of encrypting 1 billion passwords per second would take.
Apparently, home desktop systems with high end GPUs have been built that
can do this.
Lesson learned from all this? Sentence based passphrases are much much
stronger. The downside is that they are easier to accidently say in your
sleep.
> I agree that the script kiddie login attempts are annoying. But they
> are not likely to succeed if you use password best practices. And if
> you are really worried about them, and cannot lock down the ssh port
> to known remote hosts, using a port knocker of some sort is an easy
> way to only open the port when needed.
>
> As someone else said, 2 factor auth (something you have plus something
> you know) is still the best thing to do, but if you don't do that, and
> need to open ssh to the public, local password is my preference over
> keys.
>
> -Tom
>
>
> [1] Using the stroll to the kitchen example again, if you forget to
> lock your screen, and someone gets to the machine before the 2 minute
> auto kick in of auto screen locker, they can easily open a terminal
> and run a curl command to upload the public key[2] from your machine.
>
> [2] If you are using security by obscurity, while in the daemon rc
> file to change the port number, you should also change the default
> location of the public key file.
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/
Sent from Mutt using Linux
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug