New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature
FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature
How's that? A key will have significantly more entropy, and that's even assuming that the "30char passphrase" is CS-random, which it almost never is in practice.
And a 1Meg key will have significantly more entropy than a 1k key, but at some point you reach a point of impracticality. And either is still equally vulnerable being acquired, this being the main security risk for a key.
2FA adds the requirement that they need to gain 2 secrets, one physical and one which hopefully only you know, requiring both a physical attack and social engineering or a time consuming brute force that can be blocked by fail2ban (or abtaining your has in another physical attack and brute forcing that). Realtively adding 2FA will do orders of magnitude more for your security than just a key. That is my point, RELATIVE security.
Security is handled in layers. Public/private key is a better layer than password. Adding two factor is another layer. Restricting IPs is another layer. The list goes on.
Suggesting the use of passwords over keys because "at some point you reach a point of impracticality" isn't sound reasoning. Not only are keys simply easier to use than passwords, they are generally a better layer of security.
In other words, all things being equal, why bother with passwords when keys are better in every way.
edit: Keys can also be encrypted with passwords, so if they're stolen you have yet another layer in place. Heck, for that matter, if you're going to use a 30-character password to login, might as well make that the encryption password for your key.
Key-based authentication will not stop attempts, only successes.
are you deliberately missing the point (which you just re-iterated) or are you really that thick? Yes, layers. and whatever you do multiple layers are many times better than one.
Jesus christ
Realistically, you're not going to have a 30-character key with perfect randomness without writing it down / storing it somewhere, in which case you might as well just use a keypair and have it be more convenient.
Considering tradeoffs of convenience vs. security, an encrypted keypair + 2FA is a much better option than a 30-character password + 2FA, especially given that the user is far less likely to screw up the latter (eg. by letting a piece of paper with the password linger around, or picking a password according to a pattern for rememberability).
Sure, if you have a 30-character password with perfect randomness, then that might be good enough (depending on configuration, software, etc. - you want it to still hold up even if it's partially weakened, for example), but in what real-world scenario is that going to be a more viable option than a keypair?
How is that magic done?
People will still try, but probably with less success. He will still have lots of attempts in his logs.
slash etc slash hosts dot deny (has helped me a lot)
How to even prove that something is perfectly random :P
I literally quoted you saying passwords of sufficient length are just as good as keys. I then proceeded to explain that's not true and why.
Side note: I think Vanilla should have a quote limit (like where someone quotes a post with a quote and so on and so forth).
By the way @joepie91:
How do you plan on getting that perfectly random password of yours?