On Wed, Mar 26, 2025 at 09:23:58AM +0800, jeremy ardley wrote: > > On 26/3/25 06:48, Jan Claeys wrote: > > FWIW: at that rate it takes millions of years to guess an even halfway > > semi-secure 8-character password, let alone the really secure longer > > one you_should_ be using. > > It's not the random password guess that's a problem. It's the passwords that > have been compromised on some website where you re-use your username and > password.
Don't do that, then. Of the many recommendations "out there" regarding passwords, this is the only one which really matters: never re-use one of your "important" passwords elsewhere, the other being "use enough entropy". The biggest weakness of a password scheme are leaks and guessing. > The basic security policy should be to never expose a password protected > service to the internet. First don't expose them at all. Second, if you do > have to then use certificates or publc key backed up with MFA. I obviously disagree on that one. That always depends. Where possible, I use keys, where not, passwords. And please, don't mix "certificates" in: that's another category (a solution to the key distribution problem: how do you get the public parts of allowed keys to the server) -- it has not much to do with our current topic (to illustrate: if you have only one key allowed to access your server, a cert is practically useless). Cheers -- t
signature.asc
Description: PGP signature
