Re: Root password strength
Jan Krapivin wrote:
> I read Debian Administrator's handbook now. And there are such words:
>
> The root user's password should be long (12 characters or more) and
> impossible to guess.
...
> The thing is my password is very easy now, and i haven't thought about
> *"automated
> connection attempts"*, that sounds rather... scary? My password is easy
> because i am not afraid of direct physical access to the computer.
>
> But... if there is a serious network danger, then i should change my
> password of course. But how strong it should be? If we speak about network
> attacks... it should be like 32 symbols with special symbols? Or this
> paragraph in a handbook is rather paranoid?
>
> I have activated sudo now for my regular user. Can it (password of regular
> user) be less sophisticated than root password? Because it would be rather
> difficult to enter 32 symbols every time i wake my PC after suspend.
The threats are different for:
- a laptop that travels and can be stolen
- a desktop that does not leave your residence
- a server that accepts connections from the outside world
If you have a laptop, you want to have your filesystem encrypted
(LUKS or ZFS encryption, most likely) and protected by a 12+
character password.
If you have a desktop, perhaps you feel it is at low risk.
If you have a machine that runs the ssh daemon, you should not
use passwords at all for remote logins; you should use ssh keys.
Check whether you are running ssh:
/sbin/service ssh status
If it is active, use sudo to edit /etc/ssh/sshd_config to lock
down access. (It may be that you don't want it running at all,
too.)
-dsr-
Reply to: