SSH hacked?

[Kent Borg]

Steve Lamb wrote:
> Putting it behind knockd does, far more than your scheme because while
> you can guarantee the difficulty of your password things change when
> you have to deal with real, live users.

And that is why my primary point is so radical: (a) quality passwords
that (b) are secret. Raving lunatic, on the edge, wild-eyed, radical!

There might be a few people on this list who don't recycle their Ubuntu
passwords elsewhere, and there might even be a couple people on the list
who don't recycle any passwords anywhere, but in general, my suggestion
of quality, secret passwords is radical.

One way of dealing with users choosing poor passwords is to not let them
choose their own password. It seems a little fascist, but what is the
burden? If your user wants to type in his favorite password on your
machine, too, then imposing a password is annoying to that user, but at
precisely the value of preventing password recycling. If you assign a
password that is pretty easy to remember and to type, you are not being
terribly burdensome. To lift from my previous example, is telling
someone they have to type "showdown-beg-to-differ!50ec" really that bad?
Will it seriously annoy anyone other than the recyclers whom you should
want to stop anyway? After a little practice, it will become easy to type...

Let me change my tune on one point. In the past (check Google, maybe) I
have railed against arbitrary requirements to change passwords. My logic
was that if I have a quality password that is secret, changing it every
90-days doesn't accomplish anything but mess with my memorizing it. That
is still true, to a point. However, by forcing changes, the determined
password recycler is thwarted. Don't be too annoying, maybe one change a
half year after the account is first set up, and changing it again every
couple years thereafter.



I have a bank account that has a pretty good scheme:

1) They chose my password, I had no choice. It is a short, nonsense,
alpha-numeric password.

Presumably they generated it by a good procedure, and so it is random.

As it is nonsense, there is little temptation to start reusing it
elsewhere. If a customer is going recycle a password in multiple places,
s/he can more easily use his/er dog's name on those other accounts,
which is no risk to the bank.

Presumably the bank severely limits login attempts; if only a few failed
attempts are allowed, even a short password becomes very high quality.
(No matter what the "I want ZERO percent chance!"-crowd desires, reality
comes down to probabilities.)

2) They don't ask for the password when I log in, they only ask for
three of its characters, and they change which characters they want with
every successful login.

At this point the zero-percent crowd is going crazy, but it is actually
genius. Even on the most spy-ware infested machine at a cyber cafe, it
will take quite a few logins before all of the key is revealed. They can
make the cycle slightly long before an eavesdropper has enough
information for the next login, and they can decide what positions to
ask for and how many attempts to allow in coordination other login
details (including such things as my IP addresses, cookie possession,
whether the reported browser and OS version is consistent, whether my
failed entry was close to correct or a shot in the dark, whether my
error correlated with what information would have been revealed to a
keyboard sniffer vs. a typo, etc.) along with whether the transactions
performed once logged in are typical for that customer or not. They can
even decide whether to "reveal" another character to the spyware (by
asking for that character) based on the IP address that the request is
coming from: if the login seems routine, don't "reveal" another
character, but if it seems odd (from a different part of the world,
different OS) maybe demand the extra character, the one that has been
"held in reserve" and so is not known to any spyware.

Finally, they occasionally change my key. If they wanted they could
change the key frequently enough that it is effectively a one-time-pad.

Looking at my current key and my previous key, I think they recently
added the "held in reserve" feature I imagine. My old key was only
6-characters, my current key is 8-characters long. I bet there are two
characters they have never asked for, but they would ask for one of them
if I suddenly tried to login from Russia (not my usual location) using a
Windows computer (not my usual computer).


Sorry for covering so much territory in this post. But this is
interesting stuff. So much to think about, so much dogma to disregard...


-kb