SSH hacked?

[Kent Borg]

Karl F. Larsen wrote:
>     What everyone seems to be missing is that a good 12 digit password 
> is difficult to guess and difficult to use. But it is easy if the user 
> has it printed on paper taped to his/her computer. This works fine and 
> if your worried you can send the user a new password every month.
>   
Consider poor man's two factor authentication:

- Part of the password is memorized (maybe three randomly chosen words
concatenated for 32-bits or more of entropy) e.g.: "delta-chief-phone"
- Part of the password is written down on card in the user's wallet or
taped to the screen (maybe
16-hex digits for 64-bits worth of entropy) e.g.: "1062bad7-1018-4b93"

Make the total password the whole thing typed in together. The result is
a passphrase worth at least 96-bits of entropy.

If the foe on the internet can try a trillion possibilities per second,
it would still take 1,256,154,276 years of trying to have a 50-50 chance
of breaking in.

The foe in your office or the person who steals your wallet has an
easier task, but the folks in your office are presumably more trusted
and the guy who steals your wallet doesn't know the digit string even is
part of a passphrase, let alone what specific thing it is for.

Very cheap, very secure against random Bad Guys on the internet. It
doesn't protect against keyboard sniffing, however.


-kb


P.S. It would be neat if there were a PAM module that implemented this
degenerate version of Secureid (where the changing digits are stuck).
Let the user change only his/er portion, let the organization running
the server control the 64-bit portion. Maybe these "stuck" digits change
occasionally as suggested by Karl F. Larsen, when the organization sends
everyone a new card.