On Thu, Aug 28, 2014 at 04:51:20PM +0000, Edward Ned Harvey (blu) wrote:
> > From: [email protected] [mailto:discuss-
> > [email protected]] On Behalf Of
> > [email protected]
> > 
> > SSH is a very BAD thing to open up to the free internet. BAD BAD BAD.
> > Once in, you are in. Shell access is dangerous.
> 
> Blanket statement.
> 
> The actual truth is:  SSH *can* be bad to open up to the internet, but it 
> doesn't take rocket science to make it good and secure.
> 
> First and foremost, disable all forms of authentication other than key-based. 
>  Even if you have a complex randomly generated password, you'd have to get 
> something like 128-ish bits of entropy into that password to make it secure 
> from brute force attacks.  In that case, you'll never memorize it and you 
> might as well just use keys.  Ensure your keys are 2048 or 3072 bits (or 
> 4096).  Also, by merely allowing password based authentication, script 
> kiddies out there will attempt to brute force attack you.  (Just watch your 
> logs and see.)  This hogs your internet and CPU significantly, even if you 
> have a sufficiently complex password to make yourself actually secure from 
> breach.

Even though I agree with all this, I have to point out that many
experiments have concluded that English sentences contain about 1.1 bits
of entropy per character, and so it is not completely unreasonable to
create and memorize a 120 character sentence to use as a password.

The problem, really, is getting the balance right between using
it often enough not to forget it (and thus want to write it
down) and using it so often that it becomes an impediment to
access merely because of the length of time it takes you to type
it.

People. People are the problem.

-dsr-
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to