[Labs-l] 2-factor shell auth (was:second attempt to request alternative login server)

Wed Mar 6 19:17:12 UTC 2013

On Wed, Mar 6, 2013 at 11:12 AM, Petr Bena <benapetr at gmail.com> wrote:
> Do you know that we are talking about labs and not production? I don't
> want to look like some insecure-stuff loving guy - but why in the
> world someone wanted to brute force into labs? If I was hacker and I
> wanted to get into labs - I would just request an account and I would
> get it...
>

We have already had an incident in labs where hackers gained access to
instances and were using it for scam mail.  Even if it's not a
targeted attack, people will try to brute force any public ip to gain
access for spamming or other nefarious purposes.

> Do we need some high tech security here?
>
> On Wed, Mar 6, 2013 at 7:45 PM, Leslie Carr <lcarr at wikimedia.org> wrote:
>> On Wed, Mar 6, 2013 at 10:19 AM, Matthew Walker <mwalker at wikimedia.org> wrote:
>>>> [removed garbage about password auth being wonderful...]
>>>
>>> I don't feel passwords are any more or less secure than keys. In some cases
>>> keys can be even less secure if you're doing agent forwarding.
>>
>> Yes passwords are less secure than keys - egads.  The amount of
>> entropy in a key makes it impossible to brute force in this day and
>> age (https://www.youtube.com/watch?v=BA6kG-tOkBs) versus passwords
>> which have much less entropy.  You should still password protect your
>> key in case your laptop/key storage is accessed.
>>
>> --
>> Leslie Carr
>> Wikimedia Foundation
>> AS 14907, 43821
>> http://as14907.peeringdb.com/
>>
>> _______________________________________________
>> Labs-l mailing list
>> Labs-l at lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l

-- 
Leslie Carr
Wikimedia Foundation
AS 14907, 43821
http://as14907.peeringdb.com/