Re: Root password strength

[debian-user@howorth.org.uk]

Dan Ritter <dsr@randomstring.org> wrote:
> Jan Krapivin wrote: 
> > I read Debian Administrator's handbook now. And there are such
> > words:
> > 
> > The root user's password should be long (12 characters or more) and
> > impossible to guess.   
> ...
> 
>  
> > The thing is my password is very easy now, and i haven't thought
> > about *"automated
> > connection attempts"*, that sounds rather... scary? My password is
> > easy because i am not afraid of direct physical access to the
> > computer.
> > 
> > But... if there is a serious network danger, then i should change my
> > password of course. But how strong it should be? If we speak about
> > network attacks... it should be like 32 symbols with special
> > symbols? Or this paragraph in a handbook is rather paranoid?
> > 
> > I have activated sudo now for my regular user. Can it (password of
> > regular user) be less sophisticated than root password? Because it
> > would be rather difficult to enter 32 symbols every time i wake my
> > PC after suspend.  
> 
> The threats are different for:
> 
> - a laptop that travels and can be stolen
> - a desktop that does not leave your residence
> - a server that accepts connections from the outside world
> 
> If you have a laptop, you want to have your filesystem encrypted
> (LUKS or ZFS encryption, most likely) and protected by a 12+
> character password.
> 
> If you have a desktop, perhaps you feel it is at low risk. 
> 
> If you have a machine that runs the ssh daemon, you should not
> use passwords at all for remote logins; you should use ssh keys.
> 
> Check whether you are running ssh:
> 
> /sbin/service ssh status

It's not called ssh; it is sshd
Also nowadays it's more usual to say

 $ systemctl status sshd

> If it is active, use sudo to edit /etc/ssh/sshd_config to lock
> down access. (It may be that you don't want it running at all,
> too.)
> 
> -dsr-
>