[Discuss] deadmanish login?

[bogstad at pobox.com (Bill Bogstad)]

On Wed, Feb 1, 2017 at 12:03 PM, Richard Pieri <richard.pieri at gmail.com> wrote:
> On 1/31/2017 8:48 AM, Kent Borg wrote:
>> "15-ladder-bamboo-sierra" is an easy password to remember and type, yet
>> it has 40-bits of entropy. Even if some bizarrely configured sshd
>
> It also uses dictionary words. Using dictionary words (read: not random)
> reduces the effective entropy of the key.

My quick estimate is that just the 3 words in his password gives him
something close to 40 bits.
That's assuming a dictionary size of 10000 words.

If you assume that an attacker has to do a rate-limited on-line attack
to search that 40bit space,
that seems adequate to me.  On the other hand, if you allow for the
possibility of an attacker
obtaining the password hash file and attacking it offline; then maybe
that isn't enough.
Kent's concern seems to be that because your SSH private key file is
encrypted, many people will
put it lots of places where they shouldn't.   If just one of those
places is compromised even briefly
the attacker can do an off-line attack against the key file.

Aside, since others have noted their non-standard security procedures...

I regularly reuse passwords between different systems.   Specifically,
systems/web sites in which I
have no significant stake.   I really don't care if someone who
manages to crack the InfoWorld web
site can then read the NY Times using the same credentials.   Each
financial and email account on the other
hand gets a different password.

Bill Bogstad


>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss