Petter Reinholdtsen <[email protected]> wrote: > > Time to pick up this thread again, and set up some defence against the > simple and stupid brute force attacks. ...
Yes. > These are the known options: ... [his list is quite reasonable, but snipped out here] ... > These options are not exclusive, and we can pick combinations that make > sense. I believe it is best to handle this issue on the PAM level, and > there we have two options. Because libpam-shield is orphaned and have > so huge block period, I conclude that libpam-abl is our best option. We > should also look at disabling password login from the Internet over ssh, > and only allow it on the local network. Sounds sensible, but I think there is another option. Back in 2011, I started a thread with subject "crypto questions". The password part of my post was: " Passwords are a standard security mechanism and very often " a weak link. You can avoid passwords altogether for many " server activities by using the public key stuff in SSH. Great " for some of us, but is it going to be usable by our target " market? If not, what would that take? " One thing to look at is ways to eliminate the default " password at setup: " http://www.turnkeylinux.org/blog/end-to-default-passwords " Another is Bcrypt, a password system that aims " to be more secure: " An overview/advocacy article: " http://codahale.com/how-to-safely-store-a-password/ " The original technical paper: " http://www.usenix.org/events/usenix99/provos.html " Bcrypt is the default for NetBSD. It is available in the " Ubuntu repositories, so I presume also in Debian. I'd " say it should be the default for the box, and we could " ask the Debian folks to look at whether it might " become the default for Debian. There is also a competition going on to find better password-handling methods: https://password-hashing.net/ Both the organizing committee and some of the tea It is not expected to give final results until mid-2015, but is worth keeping in mind. _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
