SSH hacked?

[Kent Borg]

Ioannis Vranos wrote:
>  From something I had red in the past, I think a pretty easy way to 
> produce and remember relatively strong passwords, is by using the first 
> letter of every word of a phrase or a poem or something else you 
> remember, or the first two letters of every such word, or the first 
> three letters of every such word.
>
>   

Be careful! You might remember the same phrase as do others. Once upon a
time many computer people thought "Gandalf" was
*terribly* obscure, but it is one of the first passwords cracking
sortware will try.

At first glance "idetsinetsi" might seem plenty obscure, but Monty
Python fans told to generate a password by this technique are damn
likely to pick it. And religious folks might think "etiwttvotsod" is
*terribly* obscure, but it is not.


For geeky fun on your Linux machine try:

$ head -c 32 /dev/random | od -h

You will get output something like:

0000000 2370 0ed4 d35d fa5e 2ea0 211a 6150 ecf1
0000020 d90b 95b5 a06d c904 b1ee f369 6514 b10f
0000040

The first 7 columns are the offset into the data and boring, but the
groups of 4 hex digits to the right are high quality random data. Every
time you run that command you will get different random data. This data
is yours, if you don't give anyone a copy, your copy will unique in the
world. Use that to generate your password.

If you only want decimal digits the simplest way is to ask for more
digits than you need and disregard the letters.

To generate a password figure out a mechanical technique for turning the
random data into a password. For example, maybe use the numbers as
indexes into pages and lines in a dictionary. Google around for other
ideas, but the key is NOT to pick something that seems random to you,
rather let your computer generate the random data, then massage it into
a typeable password. Maybe use the raw hex digits as part of your
password, use dictionary lookups for part of it, use another digit to
decide which letter to capitalize, use another of the random digits to
decide where in your password to drop in a digit and yet another of the
random digits to be the digit you drop in. Maybe do something similar to
decide what punctuation character to drop in and where to put it.

The goal is to come up with a recipe where all the decisions are driven
by the random data not your brain trying to pick a random number (you
picked 7, right?). Use your brains to come up with the recipe, but only
use quality random data to drive the recipe. (Don't reuse any of the
source random digits. New random digits are cheap, use fresh ones.)

When you are done you can analyze how much entropy is in your password
by counting how many random digits you used to drive your recipe (and
how use used them).

A possible scheme:

Install dict-moby-thesaurus. It will install the file
/usr/share/dictd/moby-thesaurus.index, which is 30263 lines long. Use
your random data to select a line in that file. Do it again. In my
example I would pick the word from line 23700, or "showdown". And then
the word from line 43552. But there is no such line, so I toss those
random bits and try again with the next ones, and line 02116 is "beg to
differ". The next digit is a 1, so let's pick the symbol from a shifted
1, or "!". The next 4 characters are 50ec, so let's put them at the end
as-is.

The result:

showdown beg to differ!50ec

Pretty easy to remember. (Don't use this one, make your own!) An
*excellent* login password.

A password made this way has about 49-bits of entropy; well over 500
trillion combinations are possible. Note, this is maybe not enough for
an encryption key (where brute force is easy to apply), to be careful
you want a key with maybe twice that number of bits.

Make up your own recipe if you want, but make it mechanical and then
drive it with quality data from /dev/random.

No one would log into a machine by guessing that password. The
combinations are too many, sshd is too slow to respond. If they could
guess 10,000 passwords a second (which sshd won't do) it would take over
892 years of trying to have a 50-50 chance of getting in.


-kb