On Tue, Feb 3, 2015 at 11:20 AM, Scott Robbins <scottro at nyc.rr.com> wrote:>> >> I don't think anybody is missing anything. "Palindrome" in this context >> may not be limited to real words; the author may be suggesting that you >> not pick your password by picking a real word and tacking on its >> reverse to make a palindrome, e.g., "password1drowssap". >> > > Ah, that makes sense then, thanks.I think the intent is: "Don't use a password likely to be included in the list that an attacker would try". Of course if services would rate-limit the failures by default or at least warn you about repeated failures and their source, brute-force attacks would rarely succeed. But fixing the problem doesn't seem to be the point here. -- Les Mikesell lesmikesell at gmail.com
On Tue, February 3, 2015 11:37 am, Les Mikesell wrote:> On Tue, Feb 3, 2015 at 11:20 AM, Scott Robbins <scottro at nyc.rr.com> wrote: >>> >>> I don't think anybody is missing anything. "Palindrome" in this >>> context >>> may not be limited to real words; the author may be suggesting that you >>> not pick your password by picking a real word and tacking on its >>> reverse to make a palindrome, e.g., "password1drowssap". >>> >> >> Ah, that makes sense then, thanks. > > I think the intent is: "Don't use a password likely to be included in > the list that an attacker would try". Of course if services would > rate-limit the failuresWhich sysadmins do for ages when they configure their machines. And I don't think any system will ever come from system vendor fully prepared to serve anything necessary, and tightened to best requirements (which depend on box designation anyway). So, system vendors can do better, but there always will be need for you to do your sysadmin's part. Sounds almost like job security. As one of my friends says: all systems suck, and thanks to that got our jobs ;-) Valeri> by default or at least warn you about repeated > failures and their source, brute-force attacks would rarely succeed. > But fixing the problem doesn't seem to be the point here. > > -- > Les Mikesell > lesmikesell at gmail.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Tue, Feb 3, 2015 at 11:48 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> I think the intent is: "Don't use a password likely to be included in >> the list that an attacker would try". Of course if services would >> rate-limit the failures > > Which sysadmins do for ages when they configure their machines. And I > don't think any system will ever come from system vendor fully prepared to > serve anything necessary, and tightened to best requirements (which depend > on box designation anyway).Really? Are vendors not capable of shipping something with good default settings? It seems like getting a new car and having to install a different engine yourself because the factory couldn't figure out how to do it.> So, system vendors can do better, but there > always will be need for you to do your sysadmin's part.If that were really true, then you also wouldn't be able to follow anyone else's advice about how to do it. That is, if your system really needs to be so different that it couldn't have been shipped with the configuration you need, then a book couldn't tell you that either.> Sounds almost like > job security. As one of my friends says: all systems suck, and thanks to > that got our jobs ;-)But wouldn't you rather be doing something new/different instead of just fixing things that should have been done right in the first place? -- Les Mikesell lesmikesell at gmail.com