Re: Root password strength

To: Jan Krapivin <daydreamer199005@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Root password strength
From: Pierre-Elliott Bécue <peb@debian.org>
Date: Wed, 20 Mar 2024 15:45:55 +0100
Message-id: <[🔎] 874jd10xh1.fsf@daath.pimeys.fr>
In-reply-to: <[🔎] CAJt2aJW8na7_gkqGi8vpjiMub4TT+Mu__PfbnPYXfGwbn9+wnQ@mail.gmail.com>
References: <[🔎] CAJt2aJW8na7_gkqGi8vpjiMub4TT+Mu__PfbnPYXfGwbn9+wnQ@mail.gmail.com>

Jan Krapivin <daydreamer199005@gmail.com> wrote on 19/03/2024 at 15:42:55+0100:

> I read Debian Administrator's handbook now. And there are such words: 
>
>  The root user's password should be long (12 characters or more) and
>  impossible to guess. Indeed, any computer (and a fortiori any server)
>  connected to the Internet is regularly targeted by automated
>  connection attempts with the most obvious passwords.  Sometimes it
>  may even be subject to dictionary attacks, in which many combinations
>  of words and numbers are tested as password.  Avoid using the names
>  of children or parents, dates of birth, etc.: many of your co-workers
>  might know them, and you rarely want to give them free access to the
>  computer in question.
>
> The thing is my password is very easy now, and i haven't thought about
> "automated connection attempts", that sounds rather... scary?  My
> password is easy because i am not afraid of direct physical access to
> the computer.
>
> But... if there is a serious network danger, then i should change my
> password of course. But how strong it should be? If we speak about
> network attacks...

Any machine accessible through network connection could be more exposed
due to an overly simple user password. This is more true for root as
it's a well-known username (no need to guess the username) and it has
inherent full privileges in classic GNU/Linux distros.

> it should be like 32 symbols with special symbols?  Or this paragraph
> in a handbook is rather paranoid?

It's not paranoid.

> I have activated sudo now for my regular user. Can it (password of
> regular user) be less sophisticated than root password? Because it
> would be rather difficult to enter 32 symbols every time i wake my PC
> after suspend.

Have a read at https://xkcd.com/936/

Strength of password increases far more with their length than their
complexity.

A phrase you will easily remember but that would be hardcore to guess
through social engineering is perfect.

If you're weird as I am, and used to remember 20+-character-long random
password with symbols yadda yadda, then it's fine, too.

Also you could invest in a security token and configure pam_u2f for
root, but it seems overkill for basic users.

-- 
PEB

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Root password strength
  - From: Michael Kjörling <2695bd53d63c@ewoof.net>
- Re: Root password strength
  - From: John Hasler <john@sugarbit.com>

References:
- Root password strength
  - From: Jan Krapivin <daydreamer199005@gmail.com>

Prev by Date: Re: Root password strength
Next by Date: Re: Filsystemkorruption i ext4?
Previous by thread: Re: Root password strength
Next by thread: Re: Root password strength
Index(es):
- Date
- Thread