Re: Password policy.
- Date: Wed, 14 Nov 2018 18:28:18 +0800
- From: Corey Manshack <corey@xxxxxxxxxxx>
- Subject: Re: Password policy.
If they have /etc/shadow why would they need to brute force :) I can’t think of a vuln that would give that up without them already having root.
Sent from my iPhone
> On Nov 14, 2018, at 6:21 PM, Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>> On 14/11/18 8:44 pm, Brian wrote:
>>> On Tue 13 Nov 2018 at 18:50:35 -0800, peter@xxxxxxxxxxx wrote:
>> Security is already breached if a password database can be attacked
>> in that way. A six character (upper and lower case) login password
>> would take about 500 years to force for someone at the keyboard.
>> This assumes three seconds per try without coffee breaks.
>> I'm the cautious type, so use ten character passwords.
> Well, yes.... but some breaches are from remote machines that may be
> able to life the /etc/shadow file due to a vulnerability that isn't
> fixed and if that's all they have, then they don't yet need more
> direct access. If they have /etc/shadow, then they can work on
> off-line brute force.
> I'm very surprised at the very low password strength / length
> recommendations to say the least!
> Kind Regards
> -----BEGIN PGP SIGNATURE-----
> -----END PGP SIGNATURE-----