[conspire] Password permutations
Tony Godshall
tony at of.net
Fri Apr 17 21:49:47 PDT 2020
On Thu, Apr 16, 2020 at 2:04 AM Nick Moffitt <nick at zork.net> wrote:
>
> On 15Apr2020 11:43pm (-0700), Rick Moen wrote:
> > Quoting Paul Zander (paulz at ieee.org):
> > > Me thinks there is a different sort of security hole that would allow
> > > an unlimited number of tries in a short time.
> >
> > Well, there isn't for remote ssh login attempts, because there is
> > irreducible and non-trivial setup time that lapses for each attempt.
>
> PSA: Disable ssh password access, and keep a passphrase-locked private key on portable media. This will prevent a number of "joe account" problems, and simplify your threat model considerably.
...
Someone with access to your keyfiles *would* be able to do a
dictionary attack, since there's no rate-limiter on that.
So preventing access to your private key on portable media becomes paramount.
More information about the conspire
mailing list