Back to Blog

Security Notice: OpenSSH Passwords

badge-conscious-shareLast week, an independent security researcher disclosed a new OpenSSH bug that allows attackers to easily brute-force SSH passwords. Worse, this vulnerability affects OpenSSH versions going back to a version of OpenSSH from a 2007 release of the FreeBSD operating system.


This bug permits an attacker to control the amount of passwords the attacker can try before OpenSSH closes the connection. By default, OpenSSH will allow only 3 password attempts before closing the connection. Using this vulnerability, an attacker can try as many passwords as the network connection will allow, only limited by “login grace time” which by default is set to 120 seconds. On a data center quality internet connection, an attacker could test 10,000 passwords in this amount of time.

Protecting yourself

There are many mitigation actions you can take right now to protect yourself. First, disable passwords and use cryptographic key login instead.

Second, add two-factor authentication. Not only are you protecting your hosts from brute-force attacks, you are also protecting from a wide number of other attack vectors, including key theft, man-in-the-middle, and stolen credentials. This is one of the best things you can do to improve your login security.

Adding Two-Factor Authentication to your SSH server

By implementing two-factor authentication with your SSH server, you add an extra layer of complexity that protects your account against today’s common threats. Even if you already limit login attempts and use Authorized Keys, Authy two-factor authentication provides the added defense needed to stay safe. And for shared accounts like Root, you’ll have access to log information showing which users in your organization accessed the account.

The 30-second installation

Authy takes only 30 seconds to install and configure (although you can do it faster, we’ve seen it in under 10 seconds). This will quickly and dramatically improve server security. It’s just 7 steps, and you can copy and paste the commands!

You can also watch our SSH installation video.

Learn More:

Take a deeper dive into the OpenSSH hack test and vulnerability. Then try Authy. Users love how Authy has simplified two-factor authentication. We protect over 10,000 applications and over 1.7 million users from the password breaches happening every day. To join Coinbase, Cloudflare, Twitch, Dell Software and others who have adopted the Authy authentication solution, visit, or contact [email protected].

About the author Authy

Authy is simple & secure two-factor authentication, available as a free mobile or desktop app, from Twilio. To get yours, click on the download button at the top of the page.

We can text you a link to get started: