Re: Root password strength

To: debian-user@lists.debian.org
Subject: Re: Root password strength
From: Michael Kjörling <2695bd53d63c@ewoof.net>
Date: Tue, 19 Mar 2024 19:38:45 +0000
Message-id: <[🔎] b66c4f70-76ad-4bce-864e-815e57207347@home.arpa>
In-reply-to: <[🔎] CAJt2aJW8na7_gkqGi8vpjiMub4TT+Mu__PfbnPYXfGwbn9+wnQ@mail.gmail.com>
References: <[🔎] CAJt2aJW8na7_gkqGi8vpjiMub4TT+Mu__PfbnPYXfGwbn9+wnQ@mail.gmail.com>

On 19 Mar 2024 17:42 +0300, from daydreamer199005@gmail.com (Jan Krapivin):
> The thing is my password is very easy now, and i haven't thought about
> *"automated
> connection attempts"*, that sounds rather... scary? My password is easy
> because i am not afraid of direct physical access to the computer.
> 
> But... if there is a serious network danger, then i should change my
> password of course. But how strong it should be? If we speak about network
> attacks... it should be like 32 symbols with special symbols? Or this
> paragraph in a handbook is rather paranoid?
> 
> I have activated sudo now for my regular user. Can it (password of regular
> user) be less sophisticated than root password? Because it would be rather
> difficult to enter 32 symbols every time i wake my PC after suspend.

My suggestion for a memorable password is to use a _passphrase_
instead.

I discuss my approach at [1] and to a lesser extent at [2], both of
which you may find worth your while to read through. At [1], the most
relevant section would be the one on passwords you must memorize.

A 6-7 word Diceware passphrase [3] will provide very much adequate
security unless your threat model includes a nation-state government
brute-forcing your password; which chances are it doesn't. I recommend
using the EFF's long word list [4], but any "five dice" (7776 entries)
Diceware word list will provide equivalent security when used with a
word separator. (Unless using a word list deliberately designed for
that use case, Diceware passphrases have reduced security when used
without a word separator. The EFF long word list takes this into
account and therefore doesn't strictly require word separators to
achieve the intended degree of security.)

Two examples of such passphrases are: pedometer settling stretch
endocrine elusive unpaid rented; or: valiant overtime last drab carol
landslide supper. (Naturally, please don't use either of these.) The
xkcd example [5] is: correct horse battery staple; but four words is
relatively weak.

Such a 7-word Diceware passphrase has roughly equivalent strength
(about 90 bits' worth) to a 15 characters mixed-case alphanumeric
traditional password such as ieraey6Wic1Shoh, or an 18 characters
single-case alphanumeric password such as gav7it7aetiengo9ei; but is
arguably much easier to remember and type.

Even a 6-word Diceware passphrase (about 77 bits' worth of security)
will virtually guarantee that the weak link in your security will not
be your account password, yet if you are a reasonably good typist can
be typed accurately in a few seconds with a bit of practice. Also,
many variations of [6] apply. Technical protective measures can only
go so far, BUT that doesn't mean that they are useless; far from it.

For most values of "you", most attackers don't care about _your_
account, or _your_ system; they care about _any_ account, or _any_
system. Actually targeted attacks do happen, but very rarely compared
to what might be thought of as attackers throwing stuff at the wall
and seeing what sticks. (There's even a term for that: Internet
background noise.)

So _even more important is probably to keep your system up to date on
software._ Install updated versions of packages promptly as they
become available in the Debian repositories. If you have any
out-of-tree packages installed, make sure to set up so that you get
notified of updates to those. Software bugs, especially but not
exclusively in software that is exposed to the network in any way
shape or form (this very much includes something like your web
browser), is likely a bigger risk to most people than is a halfway
decent password being brute-forced over the network.


 [1]: https://michael.kjorling.se/password-tips/
 [2]: https://michael.kjorling.se/blog/2023/forget-what-everyone-tells-you-makes-a-password-strong/
 [3]: https://www.diceware.com/
 [4]: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
 [5]: https://xkcd.com/936/
 [6]: https://xkcd.com/538/

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Reply to:

Follow-Ups:
- Re: Root password strength
  - From: debian-user@howorth.org.uk

References:
- Root password strength
  - From: Jan Krapivin <daydreamer199005@gmail.com>

Prev by Date: Re: printing QR-codes on labels with 300dpi label printers with LaTeX
Next by Date: Re: Root password strength
Previous by thread: Re: Root password strength
Next by thread: Re: Root password strength
Index(es):
- Date
- Thread