Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


PoneyTelecom SSH login attempts: haha! - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PoneyTelecom SSH login attempts: haha!

2»

Comments

  • @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

  • @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

  • joepie91joepie91 Member, Patron Provider

    @mycosys said:

    @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

    How's that? A key will have significantly more entropy, and that's even assuming that the "30char passphrase" is CS-random, which it almost never is in practice.

    Thanked by 1hostdare
  • @joepie91 said:

    @mycosys said:

    @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

    How's that? A key will have significantly more entropy, and that's even assuming that the "30char passphrase" is CS-random, which it almost never is in practice.

    And a 1Meg key will have significantly more entropy than a 1k key, but at some point you reach a point of impracticality. And either is still equally vulnerable being acquired, this being the main security risk for a key.
    2FA adds the requirement that they need to gain 2 secrets, one physical and one which hopefully only you know, requiring both a physical attack and social engineering or a time consuming brute force that can be blocked by fail2ban (or abtaining your has in another physical attack and brute forcing that). Realtively adding 2FA will do orders of magnitude more for your security than just a key. That is my point, RELATIVE security.

    Thanked by 1asf
  • JustAMacUserJustAMacUser Member
    edited September 2016

    mycosys said: That is my point,

    Security is handled in layers. Public/private key is a better layer than password. Adding two factor is another layer. Restricting IPs is another layer. The list goes on.

    Suggesting the use of passwords over keys because "at some point you reach a point of impracticality" isn't sound reasoning. Not only are keys simply easier to use than passwords, they are generally a better layer of security.

    In other words, all things being equal, why bother with passwords when keys are better in every way.

    edit: Keys can also be encrypted with passwords, so if they're stolen you have yet another layer in place. Heck, for that matter, if you're going to use a 30-character password to login, might as well make that the encryption password for your key.

  • DewlanceVPS said: Please use Key based login and you will not get any attempt.

    Key-based authentication will not stop attempts, only successes.

    Thanked by 1hostdare
  • @JustAMacUser said:

    mycosys said: That is my point,

    Security is handled in layers. Public/private key is a better layer than password. Adding two factor is another layer. Restricting IPs is another layer. The list goes on.

    Suggesting the use of passwords over keys because "at some point you reach a point of impracticality" isn't sound reasoning. Not only are keys simply easier to use than passwords, they are generally a better layer of security.

    In other words, all things being equal, why bother with passwords when keys are better in every way.

    edit: Keys can also be encrypted with passwords, so if they're stolen you have yet another layer in place. Heck, for that matter, if you're going to use a 30-character password to login, might as well make that the encryption password for your key.

    are you deliberately missing the point (which you just re-iterated) or are you really that thick? Yes, layers. and whatever you do multiple layers are many times better than one.

    Jesus christ

    Thanked by 1asf
  • joepie91joepie91 Member, Patron Provider

    @mycosys said:

    @joepie91 said:

    @mycosys said:

    @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

    How's that? A key will have significantly more entropy, and that's even assuming that the "30char passphrase" is CS-random, which it almost never is in practice.

    And a 1Meg key will have significantly more entropy than a 1k key, but at some point you reach a point of impracticality. And either is still equally vulnerable being acquired, this being the main security risk for a key.
    2FA adds the requirement that they need to gain 2 secrets, one physical and one which hopefully only you know, requiring both a physical attack and social engineering or a time consuming brute force that can be blocked by fail2ban (or abtaining your has in another physical attack and brute forcing that). Realtively adding 2FA will do orders of magnitude more for your security than just a key. That is my point, RELATIVE security.

    Realistically, you're not going to have a 30-character key with perfect randomness without writing it down / storing it somewhere, in which case you might as well just use a keypair and have it be more convenient.

    Considering tradeoffs of convenience vs. security, an encrypted keypair + 2FA is a much better option than a 30-character password + 2FA, especially given that the user is far less likely to screw up the latter (eg. by letting a piece of paper with the password linger around, or picking a password according to a pattern for rememberability).

    Sure, if you have a 30-character password with perfect randomness, then that might be good enough (depending on configuration, software, etc. - you want it to still hold up even if it's partially weakened, for example), but in what real-world scenario is that going to be a more viable option than a keypair?

  • DewlanceVPS said: Please use Key based login and you will not get any attempt.

    How is that magic done?
    People will still try, but probably with less success. He will still have lots of attempts in his logs.

  • edited September 2016

    slash etc slash hosts dot deny (has helped me a lot)

  • @joepie91 said:

    @mycosys said:

    @joepie91 said:

    @mycosys said:

    @FlamesRunner said:
    @hostdare

    You're a VPS provider. At the very LEAST you should know how to use key authentication.

    Also congratulations: I won't be picking up a Hostdare VPS any time soon. Maybe others, too.

    FWIW a key isnt going to provide much over a decent ~30char passphrase. It is 2FA that is the biggest security feature

    How's that? A key will have significantly more entropy, and that's even assuming that the "30char passphrase" is CS-random, which it almost never is in practice.

    And a 1Meg key will have significantly more entropy than a 1k key, but at some point you reach a point of impracticality. And either is still equally vulnerable being acquired, this being the main security risk for a key.
    2FA adds the requirement that they need to gain 2 secrets, one physical and one which hopefully only you know, requiring both a physical attack and social engineering or a time consuming brute force that can be blocked by fail2ban (or abtaining your has in another physical attack and brute forcing that). Realtively adding 2FA will do orders of magnitude more for your security than just a key. That is my point, RELATIVE security.

    Realistically, you're not going to have a 30-character key with perfect randomness without writing it down / storing it somewhere, in which case you might as well just use a keypair and have it be more convenient.

    Considering tradeoffs of convenience vs. security, an encrypted keypair + 2FA is a much better option than a 30-character password + 2FA, especially given that the user is far less likely to screw up the latter (eg. by letting a piece of paper with the password linger around, or picking a password according to a pattern for rememberability).

    Sure, if you have a 30-character password with perfect randomness, then that might be good enough (depending on configuration, software, etc. - you want it to still hold up even if it's partially weakened, for example), but in what real-world scenario is that going to be a more viable option than a keypair?

    How to even prove that something is perfectly random :P

  • @mycosys said:
    are you deliberately missing the point (which you just re-iterated) or are you really that thick?

    I literally quoted you saying passwords of sufficient length are just as good as keys. I then proceeded to explain that's not true and why.

  • Side note: I think Vanilla should have a quote limit (like where someone quotes a post with a quote and so on and so forth).


    By the way @joepie91:

    How do you plan on getting that perfectly random password of yours?

Sign In or Register to comment.