We are constantly reminded to use strong passwords to make it harder for an attacker to brute-force into our accounts.
However, our credentials are usually a login name and a password, not just a password. Attackers have to brute-force both, don't they? When I look at my SSH's server logs, I can see constant intrusion attempts made under administrative login names such as root, apache, admin, and common first names such as john, matt, ryan...
If a login name is unlikely to be guessed (e.g. andreii-alexievitch), can we say it's mostly safe, even if its password isn't as strong as it could?
>>53584568
>Attackers have to brute-force both, don't they?
No.
Strong usernames? You might be retarded.
>>53584568
you could use a random username with 64 bits of entropy and a random password with 64 bits of entropy; or you could just use a normal username and a random password with 128 bits of entropy
username: BEMy8kvRSbHYNP2PevxutFPtnLjtk3kBWXeBgU6vgP7s5mp7
password: admin
checkmate hackers
>>53584579
>>53584588
I don't get it then. Take my SSH server for instance: how would an attacker know which usernames are defined on the system?
Assuming it's the only server running. The file /etc/passwd is just not accessible, so the attacker can't know which usernames are defined on the system. That's why they use root and common first names, don't they?
Plz explain, I'm confused.
>>53584633
A lot of ways a username can be leaked from servers.
>>53584632
username: p*öą~i§α,↔É!å▐!,:*ę`¼!▌ß↨ì6■↑56ôw┘*`aó
password: 12345
They can't hack me if they can't even do that on their keyboards :^)
>>53584633
If someone leaks /etc/shadow and starts cracking the hashes, "admin" as a password would fall to a brute force crack rather quickly.
>>53584568
Both
/thread
>>53584653
I'm not seeing that many ways... Doesn't that require at least another server process running, and that process to be compromised, to gain access to the system or at least get the usernames?
Assuming no physical access to the system of course otherwise all is lost anyway.
>>53584672
I see, good point, except that this file is not world-readable, so that someone has to be root or a process running as root.
It's true though that root can make mistakes, I once did a bad rm -rf.
It's true the attacker would need both your username and your password for a brute force attack. Sure, a non-standard username would help, but I'd advice against creating usernames with the same amount of entropy as you would create your passwords with. Just make sure only the usernames that actually require access to your machine are allowed to remotely login. In other words, block remote logins of accounts that do not need remote access (such as root).
Rely on the entropy of your passwords, not your usernames.
For SSH, it also helps to host your SSH daemon on a non-standard port (i.e. other than port 22), and install Fail2ban to thwart brute force attempts altogether. SSH keys are also (much) stronger than passwords, which you can unlock using a password (two factor authentication), or without a password at all.
>>53585008
Thanks for the advice anon. I knew it but yeah I don't apply all of it.
