LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributed brute force ssh attacks

Distributed brute force ssh attacks

Posted Oct 22, 2009 10:16 UTC (Thu) by ikm (subscriber, #493)
Parent article: Distributed brute force ssh attacks

Isn't it better to just audit bad passwords on the server side? If all passwords are relatively strong (e.g. no "mike:mike", "mike:123" and so on exist), then there should be no harm from those attacks, except for extra traffic and cpu consumption to handle all the requests.

(Log in to post comments)

Password auditing isn't reliable

Posted Oct 22, 2009 17:04 UTC (Thu) by copsewood (subscriber, #199) [Link]

Password auditing is difficult if users are allowed to choose their own passwords. It's true you can use tools such as Crack to do this, but if your popular password list isn't the same as the one used by your attacker, a password that looks strong to your tools might well be weak to an attacker. E.G, your user's weak password might be a popular password in a language you don't speak and which those compiling your Crack password dictionary don't know about. Fine if you have access to the same auditing tools as your attackers have for attacking you, but it certainly isn't safe to assume that you do. It seems to me better either to generate random passwords for the users, or choose good ones for them they should be able to remember based on what you know about them which attackers are unlikely to know or guess.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds