Brian wrote:
> Henrique de Moraes Holschuh wrote:
> > Brian wrote:
> > > used. But if it can be demonstrated that a twenty character password can
> > > be forced in a time-frame which makes sense I'll stop doing it and most
> >
> > That depends. Are you using any dictionary words or easy character
> > permutations thereof to make a pass-phrase? If so, your 20-char password is
> > a lot weaker than what one might expect at first glance.
>
> There are four dictionary words in this passphrase
>
> Allow*12Root(Logins)NOW!
>
> but it doesn't matter because you either get the whole thing or nothing.
> The password checkers referenced elsewhere in this thread give it 10/10.
> Attacking an sshd password is an online activity so, while I suppose it
> could be in a dictionary, this is a brilliant password; suitable for a
> user or for root. Even if it got guessed after a couple of hundred years
> you would be past caring!

I completely agree with you.

I am going to drift a little by complaining about some password
plugins that will complain about the *plaintext* of the password at
the time you create it. I have seen a number of them that look at the
plaintext of the password and complain about dictionary words in it.
I once tried to use a password similar to "a1Sith4x" (a completely
randomly generated password, see "pwgen") but a password strength
checking pluggin on that system complained about it containing a
dictionary word. Did you see it in the above? Yes, I agree that "a"
is a dictionary word but in the context of the password it was
completely random and that fact that it is in the dictionary doesn't
help a cracker in any way.

Password checkers that look at the ciphertext and attack it as an
attacker would attack it are okay. Checkers that cheat and look at
the plaintext are not doing anyone any good. It is a trap.

> Debian's default of enabling root logins is sensible. How hard is it to
> change it should an administrator want to? What damage does it do if
> left as it is?

Or even more important is the question of what is the danger if it is
disabled? I think that could do a lot of damage. If it is disabled
then it is possible with various accidents that an administrator would
be locked out of a system. If it is a remote system, say a data
center on the other side of the world, then this could be a big
hardship to impose upon us. Having the ability to log in as root,
even if you feel the need to change the password afterward, is a huge
safety net.

1. Always use an unguessable password for all accounts, root or
otherwise. 2. Having a login, root or otherwise, available for
encrypted (and therefore unsniffable) remote login (such as using ssh)
is not a security hole. If anyone thinks the second rule is a problem
then they must be violating the first rule. And of course if the
password can be observed at any point then the strength of it is
irrelevant.

I always use and recommend ssh rsa keys. They are safer than
passwords. They are more convenient than passwords. If you avoid
using a password then it reduces the chances for a password to be
compromised.

Bob

On Mon, Jul 30, 2012 at 06:15:26PM +0100, Brad Rogers wrote:
> On Mon, 30 Jul 2012 11:54:14 -0500
> John Hasler <jhasler@newsguy.com> wrote:
>
> Hello John,
>
> >Brad Rogers writes:
> >> Yeah, on a Post-It note. Stuck to the monitor.
> >That's what people do when you tell them not to write it down. _Tell_
> >them to write it down and tell them _how_.
>
> As it happens, I agree with you; write 'em down, and keep 'em safe.

Or just have one, but make it a good 'un, and never tell anyone.

Reasons: 1) If someone can brute force guess it, you've got other
problems. i.e. -- you're targetted!
2) Clothes, possessions, etc. can be searched. You may never
know until its too late!
3) If someone wants it, at least you'll know about it¹

Well, actually 2 - one for really important stuff, other for unimportant
stuff; I can trust my bank to keep it safe, but local supermarket is
another story.

¹ I consider this an advantage. See reason 2)

--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120731083156.GK17427@tal

Hi,

>> Gibberish implies one wouldn't be able to remember the
>> password/phrase.

> Which is why, as Bruce Schneir recommends, you _write it down_.

Which is what I do. Whenever I need a new password I open my editor, close my eyes, randomly hit several keys on my keyboard and Bingo new random password. I store it securely on my computer and that's it.
Oh, and to make sure it is indeed hard enough to guess. If I do not see enough captitals, numbers en punctuations in there I will insert a few extra.

Bonno Bloksma


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 89D1798A7351D040B4E74E0A043C69D70EF29A22@HGLEXCH-01.tio.nl">http://lists.debian.org/89D1798A7351D040B4E74E0A043C69D70EF29A22@HGLEXCH-01.tio.nl

On Tue, 31 Jul 2012 20:31:56 +1200
Chris Bannister <cbannister@slingshot.co.nz> wrote:

> On Mon, Jul 30, 2012 at 06:15:26PM +0100, Brad Rogers wrote:
> > On Mon, 30 Jul 2012 11:54:14 -0500
> > John Hasler <jhasler@newsguy.com> wrote:
> >
> > Hello John,
> >
> > >Brad Rogers writes:
> > >> Yeah, on a Post-It note. Stuck to the monitor.
> > >That's what people do when you tell them not to write it down. _Tell_
> > >them to write it down and tell them _how_.
> >
> > As it happens, I agree with you; write 'em down, and keep 'em safe.
>
> Or just have one, but make it a good 'un, and never tell anyone.
>
> Reasons: 1) If someone can brute force guess it, you've got other
> problems. i.e. -- you're targetted!
> 2) Clothes, possessions, etc. can be searched. You may never
> know until its too late!
> 3) If someone wants it, at least you'll know about it¹
>
> Well, actually 2 - one for really important stuff, other for unimportant
> stuff; I can trust my bank to keep it safe, but local supermarket is
> another story.

There have been numerous well-publicized breaches at banks, major
retailers, etc. (and doubtless even more unpublicized ones). If / when
hackers get your credentials to one institution, do you really want
them to have the keys to all your accounts?

Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120801102209.a50706cc.celejar@gmail.com">http://lists.debian.org/20120801102209.a50706cc.celejar@gmail.com

On Tue, 31 Jul 2012 10:08:28 +0000
Bonno Bloksma <b.bloksma@tio.nl> wrote:

> Hi,
>
> >> Gibberish implies one wouldn't be able to remember the
> >> password/phrase.
>
> > Which is why, as Bruce Schneir recommends, you _write it down_.
>
> Which is what I do. Whenever I need a new password I open my editor,
> close my eyes, randomly hit several keys on my keyboard and Bingo new
> random password. I store it securely on my computer and that's it.
> Oh, and to make sure it is indeed hard enough to guess. If I do not see
> enough captitals, numbers en punctuations in there I will insert a few
> extra.

Just use something like pwgen or apg.

> Bonno Bloksma

Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120801102309.6d8f97fa.celejar@gmail.com">http://lists.debian.org/20120801102309.6d8f97fa.celejar@gmail.com

On Wed, Aug 01, 2012 at 10:22:09AM -0400, Celejar wrote:
> There have been numerous well-publicized breaches at banks, major
> retailers, etc. (and doubtless even more unpublicized ones). If / when
> hackers get your credentials to one institution, do you really want
> them to have the keys to all your accounts?

OK, I downloaded pwgen, issued "pwgen -s 15 3" changed chosen password.
All I have to worry about now is someone getting hold of that piece of
paper. IOW, http://xkcd.com/792/, and Glenn's post tipped my thinking.

Perhaps it is misleading for pwgen to state:

[...]
-s, --secure These should only be used for machine passwords, since
otherwise it's almost guaranteed that users will simply write the
password on a piece of paper taped to the monitor...

--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120803072656.GA7609@tal

On Fri, 3 Aug 2012 19:26:56 +1200
Chris Bannister <cbannister@slingshot.co.nz> wrote:

> On Wed, Aug 01, 2012 at 10:22:09AM -0400, Celejar wrote:
> > There have been numerous well-publicized breaches at banks, major
> > retailers, etc. (and doubtless even more unpublicized ones). If / when
> > hackers get your credentials to one institution, do you really want
> > them to have the keys to all your accounts?
>
> OK, I downloaded pwgen, issued "pwgen -s 15 3" changed chosen password.
> All I have to worry about now is someone getting hold of that piece of
> paper. IOW, http://xkcd.com/792/, and Glenn's post tipped my thinking.
>
> Perhaps it is misleading for pwgen to state:
>
> [...]
> -s, --secure These should only be used for machine passwords, since
> otherwise it's almost guaranteed that users will simply write the
> password on a piece of paper taped to the monitor...

I use the '-s' switch for all my passwords, and I store them in a
master file on my machine (which uses full disk encryption).

Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120803102813.4fa9f4c3.celejar@gmail.com">http://lists.debian.org/20120803102813.4fa9f4c3.celejar@gmail.com