undefined | Better HN

0 pointsTonyTrapp11mo ago0 comments

Can you please elaborate how it is "asking for it" if we assume the basic auth password is reasonably complex and kept as safe as, say, the SSH login credentials of the same server?

0 comments

cbg011mo ago

You shouldn't be logging in to a server via SSH using a user+password combo, instead use a public/private key combo which is considerably more complex and can't effectively be bruteforced like a user+password.

Most web servers don't really come with any built in defense against brute force attempts vs Basic Auth gates, so unless you've set something up to protect it, someone with enough time will eventually get in.

ArinaS11mo ago

> "can't effectively be bruteforced like a user+password."

Only when the password is weak enough to bruteforce swiftly. It will take literally thousands of years to bruteforce strong passwords.

DrillShopper11mo ago

But you only need one weak password to get in

1 more reply

lossolo11mo ago

> someone with enough time will eventually get in

That's only correct if the password is weak. With enough entropy, it's practically impossible to brute force.

voidUpdate11mo ago

Genuine question that I haven't found a good solution to yet, if I want to just go to any old computer and ssh into my server, do I have to carry around a USB stick with the ssh key on or something? because I sure as hell wont be able to just remember it

pjc5011mo ago

The preferred solution would be something like a Yubikey. However:

> just go to any old computer and ssh into my server

You've typed your password into a computer you don't control. Now it's gone. Same for plugging in the USB stick. The Yubikey approach mitigates that.

Assuming you want to do this, the best practice you can achieve is just making the password long.

1 more reply

haiku207711mo ago

There's no secure way to do that. You have no guarantee that the computer won't copy your key or keylog your password.

You can mitigate it by using an MFA method that requires confirming on a separate device like a phone, but that's down to one layer of defense.

I use an SSH app on my phone for remote access, and I go over a VPN. SSH is not exposed to the public internet.

theossuary11mo ago

In that case I'd normally recommend a bastion host with SSH MFA and fail2ban. It'd be publicly available and have SSH keys for other machines. Or you could look at setting up a VPN solution with MFA, but never have a password only admin login exposed to the public Internet.

ceejayoz11mo ago

I haven’t used it for many years now, but phpMyAdmin was long a source of compromises. Lots of security holes.

TonyTrappOP11mo ago

That's my point - if you have a reasonably secure password (let's say 50-100 characters, fully random), it's extremely unlikely that anyone is ever going to even get beyond the basic auth prompt.

ceejayoz11mo ago

Until there's a bug that lets you bypass it.

1 more reply

udev409611mo ago

A password is just plain text, which apart from being bruteforced, can easily be phished. There are so many things wrong with using a password even if it's fairly complex. Instead, stick to passkeys and SSH keys

j / k navigate · click thread line to collapse

0 comments

cbg011mo ago

ArinaS11mo ago

> "can't effectively be bruteforced like a user+password."

Only when the password is weak enough to bruteforce swiftly. It will take literally thousands of years to bruteforce strong passwords.

DrillShopper11mo ago

But you only need one weak password to get in

1 more reply

lossolo11mo ago

> someone with enough time will eventually get in

That's only correct if the password is weak. With enough entropy, it's practically impossible to brute force.

voidUpdate11mo ago

pjc5011mo ago

The preferred solution would be something like a Yubikey. However:

> just go to any old computer and ssh into my server

You've typed your password into a computer you don't control. Now it's gone. Same for plugging in the USB stick. The Yubikey approach mitigates that.

Assuming you want to do this, the best practice you can achieve is just making the password long.

1 more reply

haiku207711mo ago

There's no secure way to do that. You have no guarantee that the computer won't copy your key or keylog your password.

You can mitigate it by using an MFA method that requires confirming on a separate device like a phone, but that's down to one layer of defense.

I use an SSH app on my phone for remote access, and I go over a VPN. SSH is not exposed to the public internet.

theossuary11mo ago

ceejayoz11mo ago

I haven’t used it for many years now, but phpMyAdmin was long a source of compromises. Lots of security holes.

TonyTrappOP11mo ago

That's my point - if you have a reasonably secure password (let's say 50-100 characters, fully random), it's extremely unlikely that anyone is ever going to even get beyond the basic auth prompt.

ceejayoz11mo ago

Until there's a bug that lets you bypass it.

1 more reply

udev409611mo ago

j / k navigate · click thread line to collapse