Web lists-archives.com

Re: Password policy.




If they have /etc/shadow why would they need to brute force :) I can’t think of a vuln that would give that up without them already having root.

Sent from my iPhone

> On Nov 14, 2018, at 6:21 PM, Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> 
> 
>> On 14/11/18 8:44 pm, Brian wrote:
>>> On Tue 13 Nov 2018 at 18:50:35 -0800, peter@xxxxxxxxxxx wrote:
>>> https://en.wikipedia.org/wiki/Brute-force_attack
>> 
>> Security is already breached if a password database can be attacked
>> in that way. A six character (upper and lower case) login password
>> would take about 500 years to force for someone at the keyboard.
>> This assumes three seconds per try without coffee breaks.
>> 
>> I'm the cautious type, so use ten character passwords.
> 
> Well, yes.... but some breaches are from remote machines that may be
> able to life the /etc/shadow file due to a vulnerability that isn't
> fixed and if that's all they have, then they don't yet need more
> direct access.  If they have /etc/shadow, then they can work on
> off-line brute force.
> 
> I'm very surprised at the very low password strength / length
> recommendations to say the least!
> 
> Kind Regards
> AndrewM
> -----BEGIN PGP SIGNATURE-----
> 
> iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW+v3PQAKCRCoFmvLt+/i
> +19JAP9R3Zw7RqQDIytWTedQxVeCKMV0+gGxMAw9oO6G6gG/VgD/dJbL4dppk5Zp
> j5Tolqq/w0aa34exUvNHn6fqMI85HhU=
> =5zUS
> -----END PGP SIGNATURE-----
>