[conspire] Password permutations

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> Who can actually try a large number of logins?    In my experience
> just trying to get into my own account, it takes a second to get a
> response that I messed up.  That limits my attempts to not very many
> in an hour.

Exactly!

This is why the notion of cracking ssh passwords by brute force is
basically absurd.  Break-ins of ssh access in the real world thus 
involve either stolen security tokens or 'joe account' intrusions.

'joe accounts' would be ones with known conventional username/password
combinations like user = service, password = service.  

This is an example of why it's necessary to _understand the threat model_
before planning what to do about a threat.  People who adopt
line-noise-like lengthy passwords under the mistaken impression that
this in necessary in order to have enough entropy to defend against
brute-force ssh attempts.  Which of course is simply not the case.

> Me thinks there is a different sort of security hole that would allow
> an unlimited number of tries in a short time.
 
Well, there isn't for remote ssh login attempts, because there is
irreducible and non-trivial setup time that lapses for each attempt.