Summary of password strength discussion

Chris Murphy lists at colorremedies.com
Mon Jul 27 21:27:03 UTC 2015 

On Mon, Jul 27, 2015 at 12:43 PM, Lars Seipel <lars.seipel at gmail.com> wrote:
> On Mon, Jul 27, 2015 at 11:19:41AM -0600, Chris Murphy wrote:
>> Why is password quality being targeted rather than the number of ssh
>> attempts being set to e.g. 3 per minute, by default? And does this
>> sufficiently mitigate the concern, and if not, why not?
>
> Restricting login attempts means that now even the most naïve kind of
> attack can lock me out of my machine. You know, the really stupid
> attacks that rain down on almost any internet host in gigantic numbers
> but are effectively countered by using anything but the most trivial of
> passwords.

Who puts their computer directly on the Internet or has all port 22
requests forwarded carte blanche? Very weak vs just weak passwords,
and that system will be owned if no other defensive measures are
taken.

Firewalld needs to be easier to inform what networks are trusted, so
that when I go to a cafe it automatically blocks (or drops) requests
to ports 22, 445, 2049, etc. By default. Without asking me. Just do it
because I have no good reason having those available when I'm in a
cafe. And if I do, I'll trust the network.

When enabling sshd in the GUI, it should use AllowUsers in sshd_config
rather than allowing all users access. ClientAliveInterval probably
should be non-zero. Yes there should be rate limiting and IP limiting
for workstations in semi-trusted work environments, by default, but
how to do that automatically isn't my area of expertise, maybe
fail2ban plays a role here to initially be permissive but then learn
what IPs to block after X failed login attempts or something?

Server folks have their own requirements. With all the servers I use,
not a single one is directly reachable on the Internet, I have to go
through a VPN in every case.

Someone who has no intention of turning on remote access, uses their
laptop only at home behind NAT, there is no good reason to prevent
them from using their year of birth as their password. I don't like
it, but I have numerous exhibits of people who get beyond pissy when
they aren't allowed to pick blatantly obvious passwords. And why?
Because they're old, stubborn, and forget shit. They'd sooner stop
using the computer, the iPad, the phone, or whatever else.


-- 
Chris Murphy

More information about the desktop mailing list