Re: Root password strength

[Jeffrey Walton <noloader@gmail.com>]

On Wed, Mar 20, 2024 at 12:09 PM Pierre-Elliott Bécue <peb@debian.org> wrote:
>
> John Hasler <john@sugarbit.com> wrote on 20/03/2024 at 16:58:01+0100:
>
> > Pierre-Elliott Bécue writes:
> >> A phrase you will easily remember but that would be hardcore to guess
> >> through social engineering is perfect.
> >
> > Better is a random string that you write down.  When people try to
> > generate phrases that meet those requirements they usually fail.
>
> Writing down a password is a bad idea.

I don't think that's true anymore. The threat being mitigated is the
network attacker. The network attacker cannot (yet) reach through a
monitor and read a sticky note.

It is also why its Ok for a system to generate a list of recovery
codes, and have the user print them and store them in a safe place.
The other option are those cursed security questions, which have been
insecure for about 20 years now (but developers have their arms
wrapped around).

> Managing passwords through a password-store (eg pass, keepassxc,
> whatever tool you prever) is a great idea, but you first need to unlock
> your disk that hopefully you encrypted and then your session. And if
> your laptop is borken, then having a root password you actually can
> remember is better.

I believe NIST now approves online password managers. But I don't
trust them given the number of data breaches.

> Let's stop to overcomplexify, the best course of action for passwords
> you need to remember are passphrases, and to this matter, Randall nailed
> the matter properly.

Jeff