A recently disclosed bug in OpenSSH software used to remotely access Internet-facing computers and servers allows attackers to make thousands of password guesses in a short period of time, a defect that could open systems to password cracking, a security researcher has warned.
Under normal circumstances, OpenSSH will allow just three or six login attempts before closing a connection, the researcher who goes by the moniker KingCope wrote in a blog post published last week. The recently discovered vulnerability, however, allows attackers to perform thousands of authentication requests during an open login window, which by default lasts two minutes. As a result, attackers who cycle through the most commonly used passwords face much better odds of finding the right one, since the vulnerability allows them to try many more candidates than they otherwise would.
KingCope wrote: