SSH hacked?

Karl F. Larsen klarsen1 at gmail.com
Tue Jan 13 21:30:55 UTC 2009


Kent Borg wrote:
> Karl F. Larsen wrote:
>   
>>     What everyone seems to be missing is that a good 12 digit password 
>> is difficult to guess and difficult to use. But it is easy if the user 
>> has it printed on paper taped to his/her computer. This works fine and 
>> if your worried you can send the user a new password every month.
>>   
>>     
> Consider poor man's two factor authentication:
>
> - Part of the password is memorized (maybe three randomly chosen words
> concatenated for 32-bits or more of entropy) e.g.: "delta-chief-phone"
> - Part of the password is written down on card in the user's wallet or
> taped to the screen (maybe
> 16-hex digits for 64-bits worth of entropy) e.g.: "1062bad7-1018-4b93"
>
> Make the total password the whole thing typed in together. The result is
> a passphrase worth at least 96-bits of entropy.
>
> If the foe on the internet can try a trillion possibilities per second,
> it would still take 1,256,154,276 years of trying to have a 50-50 chance
> of breaking in.
>
> The foe in your office or the person who steals your wallet has an
> easier task, but the folks in your office are presumably more trusted
> and the guy who steals your wallet doesn't know the digit string even is
> part of a passphrase, let alone what specific thing it is for.
>
> Very cheap, very secure against random Bad Guys on the internet. It
> doesn't protect against keyboard sniffing, however.
>
>
> -kb
>
>
> P.S. It would be neat if there were a PAM module that implemented this
> degenerate version of Secureid (where the changing digits are stuck).
> Let the user change only his/er portion, let the organization running
> the server control the 64-bit portion. Maybe these "stuck" digits change
> occasionally as suggested by Karl F. Larsen, when the organization sends
> everyone a new card.
>
>   
    I think many look at this with their computer in an office you can't 
trust. Mine is in my home where only my wife can look and she could care 
less.


Karl


-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.
   PGP 4208 4D6E 595F 22B9 FF1C  ECB6 4A3C 2C54 FE23 53A7





More information about the ubuntu-users mailing list