On Sun 11 Jan 2015 at 16:43:34 -0700, Bob Proulx wrote: > Brian wrote: > > Bob Proulx wrote: > > > Complete agreement. I want to go further and say that a password that > > > you can remember without needing to write it down is probably not a > > > good password. > > > > Security of an ssh login is aimed at allowing access to some but denying > > it to others. An authorised user who cannot remember his 20 character > > password has experienced a security failure. > > Security is the part of the system designed to make it not only hard > to use but the design goal is to prevent it from being used.
Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. The automated probes wouldn't get close to cracking it. The danger might be a directed attack - from friends, associates, colleagues etc. If they knew about my fixation on Lewis Carroll they might have a go at breaking in. Actually, it would be ok as a password for banking access too. There surely cannot be a banking site which does not take action after a number of failed logins. Maybe not using fail2ban, but a similar approach which protects both parties. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/12012015193541.dea84e875...@desktop.copernicus.demon.co.uk
