1 |
On Tue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky <mjo@g.o> wrote: |
2 |
|
3 |
> On 11/10/2015 01:26 PM, Alan McKinnon wrote: |
4 |
> > |
5 |
> > I think you are approaching this problem from the wrong viewpoint. You |
6 |
> > have to assume an attacker has vastly more resources to bear on the |
7 |
> > problem than you have. Thanks to Amazon and the cloud, this is now a |
8 |
> > very true reality. Brute force attacking a root password is nowhere near |
9 |
> > as complex as the maths would lead you to believe; for one thing they |
10 |
> > are decidedly not random. The fact is that they are heavily biased, |
11 |
> > mostly due to 1) you need to be able to remember it and 2) you need to |
12 |
> > be able to type it. |
13 |
> > |
14 |
> > Humans have been proven to be very bad at coming up with passwords that |
15 |
> > are truly good[1] and hard for computers to figure out. And our brains |
16 |
> > and very very VERY good at convincing us that our latest dumb idea is |
17 |
> > awesome. Are you really going to protect the mother lode (root password) |
18 |
> > with a single system proven to be quite broken and deeply flawed by |
19 |
> wetware? |
20 |
> > |
21 |
> |
22 |
> I know all that, but I asked you to assume that I'm not an idiot and |
23 |
> that it would take forever to brute-force my root password =) |
24 |
> |
25 |
> I'm not going to tell you what it is, so you'll have to believe me. |
26 |
> |
27 |
> |
28 |
I guess from this your assuming that everyones passwords that have been |
29 |
hacked are god, birthdays and such? |