In message <42FF84D9.6050209@NetBSD.org>, Elad Efrat writes:

>
>4. An attacker trying to brute-force an account password (with or
>   without a master.passwd), let alone the root password, is very
>   uncommon; I believe the majority, if not all, of inexperienced
>   attackers today will attempt to run their arsenal of exploits on a
>   target system.
>
>   Experienced attackers will attempt their *private* arsenal of
>   exploits on a target system. :)

[gnats-bugs deleted]

This is not correct.  There are exploits in the wild that try 
password-guessing attacks via ssh.  In fact, the attack is quite common.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb