[conspire] Password permutations

Thu Apr 16 02:03:54 PDT 2020

On 15Apr2020 11:43pm (-0700), Rick Moen wrote:
> Quoting Paul Zander (paulz at ieee.org):
> > Me thinks there is a different sort of security hole that would allow
> > an unlimited number of tries in a short time.
>  
> Well, there isn't for remote ssh login attempts, because there is
> irreducible and non-trivial setup time that lapses for each attempt.

PSA: Disable ssh password access, and keep a passphrase-locked private key on portable media.  This will prevent a number of "joe account" problems, and simplify your threat model considerably.

If you want to be really clever, you can configure your sshd to challenge you for a yubikey HOTP one-time code as second factor, or a TOTP challenge from a more capable device with an RTC (although most of those are complex enough to need a lot of effort to secure just on their own).

For me, passwords are for sudo and direct physical access only.  