[NBLUG/talk] How do you handle physical device passwords?

Rick Moen rick at linuxmafia.com
Tue May 9 09:26:10 PDT 2017


Quoting Allan Cecil (allan at nblug.org):

> My brute force concern was one of "my laptop was stolen".  Now, I have
> an encrypted home partition but not an encrypted disk (on one of my
> laptops, anyway) and thus /etc/password and /etc/shadow are in theory
> accessible if the volume is mounted which would in theory allow an
> offline dictionary attack.

Even a system with encrypted disk suffers credible threat models if
stolen while powered up.  The major spook agencies have efficient means
to attack running systems, which I won't go into further here, but you
can find descriptions in the usual places (Schneier's blog and
Crypto-Gram, etc.)   And, over time, techniques pioneered by the spooks
trickle down to lower-rent attackers, too.

One interesting hypothetical is:  I'm about to visit a country known to
be nosy about travelers' laptop computer.  (Pick your favourite bad boy.)  
What measures should I take to ensure that I don't have various types of
problems (of which several can be named)?  EFF has published some guides
giving advice about this problem.


> Even the low attack rate of SSH passwords is too high for me so I've
> disabled password-based login entirely.

As the saying goes, choose your own level of paranoia.  ;->  I've seen
so many cases of stolen public keys that I have my doubts about this
avoidance having advantages that outweigh the drawbacks.

> Not as a matter of security by obscurity but more because I have
> multiple hosts on one IP address I also use a non-default SSH port
> which substantially reduces attacks.  

You call those attacks.  I call them doorknob-twisting.  (But see
traditional saying.)


More information about the talk mailing list