CentOS - Feb 2015 - Another Fedora decision

On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com>
wrote:
> When the hashes are properly salted, the only option is brute force.  All
having /etc/shadow does for you is let you make billions of guesses per second
instead of 5 guesses per minute, as you get with proper throttling on remote
login avenues.
Kinda highlights that 'time' is important here.  Booting into a fresh
system and then running updates and hardening your system can take a
few minutes.  There may be an appreciable difference between having a
password that can be cracked in 1 second and one that takes an hour.
(Yes, infrastructure can help mitigate this risk).

I'm thinking of someone with limited infrastructure installing a
system under time pressure. They might be tempted to use a very weak
password initially with the expectation that they would get back to
hardening the system later.  If they are regularly under time
pressure, that may never actually happen, or may be delayed for
hours/days.  An 8 character password might just nudge the
probabilities in your favour and protect against a drive by attack.

Does that sound like a reasonable case to protect against?

> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson <kahlil.hodgson at
dealmax.com.au> wrote:
> 
> On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com>
wrote:
>> When the hashes are properly salted, the only option is brute force. 
All having /etc/shadow does for you is let you make billions of guesses per
second instead of 5 guesses per minute, as you get with proper throttling on
remote login avenues.
> 
> Kinda highlights that 'time' is important here.
Yes, which is why a properly-designed remote credential checking system
throttles login attempts: to buy time.

Safes and vaults aren?t rated ?secure? or ?insecure,? they?re rated in terms of
minutes.  This one here is a 5 minute safe, and that one over there is a 15
minute safe.  You buy the one that gives you the time you need to react
appropriately to an attack.
> An 8 character password might just nudge the
> probabilities in your favour and protect against a drive by attack.
> 
> Does that sound like a reasonable case to protect against?
That?s exactly what this change does.

This calculator will help you to explore the problem:

    https://www.grc.com/haystack.htm

Put in something like ?Abc123@#? to turn on all the green lights to see the
effect of a password that will pass the new rules.

SSH as shipped on CentOS doesn?t allow 1,000 guesses per second, as this
calculator assumes, so we actually have a few orders of magnitude more security.
Not that it matters, given that it reports that my example password would take
2.13 thousand centuries to crack.

> On Feb 4, 2015, at 5:43 PM, Warren Young <wyml at etr-usa.com> wrote:
> 
> SSH as shipped on CentOS doesn?t allow 1,000 guesses per second, as this
calculator assumes
Hmm, just thought of a counterattack:

If CentOS?s SSH currently allows 10 guesses per minute *per IP*, all you need to
do to get 1,000 guesses per second is to rent time on a 6,000 machine botnet.