Strong passwords no panacea as SSH brute-force attacks rise

Posted on Thu 15 May 2008 in Dispatches • 1 min read

Okay, if you still have your box configured to allow remote logins as “root”, then you deserve anything you get. Otherwise, start using strong passphrases (not a password, those are too easy), or if you can swing it with your work flow, use an ssh key rather than a text-based login. It’s less convenient in some ways, but it’s worth your time. Honestly, I’m a little behind here as I’ve intended to switch more of my systems over to private keys for a while now, but on half I still login with a username and a strong passphrase.

Also, while we are at it, just a reminder that security through obscurity doesn’t work in the long run. You can reduce the effectiveness of automated attacks by running ssh on a different port, but don’t think that’s going to be an effective long-range solution. If someone wants in, they will find the ssh port, so it’s up to you to get the rest of your security together.

This all goes for you Apple folks too.