Web lists-archives.com

Re: Password policy.

On Wed 14 Nov 2018 at 21:21:54 +1100, Andrew McGlashan wrote:

> Hash: SHA256
> On 14/11/18 8:44 pm, Brian wrote:
> > On Tue 13 Nov 2018 at 18:50:35 -0800, peter@xxxxxxxxxxx wrote:
> >> https://en.wikipedia.org/wiki/Brute-force_attack
> > 
> > Security is already breached if a password database can be attacked
> > in that way. A six character (upper and lower case) login password
> > would take about 500 years to force for someone at the keyboard.
> > This assumes three seconds per try without coffee breaks.
> > 
> > I'm the cautious type, so use ten character passwords.
> Well, yes.... but some breaches are from remote machines that may be
> able to life the /etc/shadow file due to a vulnerability that isn't
> fixed and if that's all they have, then they don't yet need more
> direct access.  If they have /etc/shadow, then they can work on
> off-line brute force.

There are two situations I can think of which could lead to /etc/shadow
becoming vulnerable:

1. The machine's administrator causes it to happen.
2. There is a flaw in one the OS's components.

The least said about cause 1, the better. There is nothing which can be
done here.

The bug arising in 2. would soon be discovered and a fix rapidly devised
and distributed. There is nothing much to worry about here.