because they can!? any to the web connected computer can be a victim, by random or by purpose. attackers need access to the victims computer, either physically or with tools. if that has happend they install an undetectable keylogger, very simple. and it does not matter if windows, linux or macos. but user can make it hard to crack if not -> longer passwords.
Hi bellgamin, I understand your concern. If you are okay with a long password for root elevation because of the reason you stated, then by all means, go for it. All I would say, and to steal a quote from a valued member of another forum: "Stay safe, not paranoid".
Keyloggers don't care about password length. If someone wants to have a chance to fool keylogger, very simple keylogger whose data is not inspected manually, then I would rathet have medium length password and manupulate it. By manipulate I mean type end of password, then click at the beginning and type beginning of password etc or use root outside of X11 session
An interesting idea. I would think randomly hitting the Shift key between characters would register with the keylogger too without actually doing anything to the password you are entering.
How about if someone with a touchscreen laptop uses a virtual (on-screen) keyboard? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As a long-time member of Wilders, I became fully convinced -- years ago -- that ANY security can be hacked. For that reason, I have long-standing provisions for dealing with that possibility. If I am ever seriously hacked, I'll have 1 or 2 days of minor annoyance, then I'll be up & running as before.
not read? and you forgot, or do no know: windows has a keyboard buffer, it does not matter if screen real keyboard. the buffer was reason to create ways to encrypt keystrokes before they land in the buffer, in special for browsers. anyhow that was already cracked up. it does matter when a keylogger or similar trojan is right on your system, you have lost in many ways. user logon passwords are for local security that not every local idiot have access. but also those can be sniffed when user is logging in. you asked about "root" passwords, thats the same kind of password as for windows and its users and admins. there is no need to make it difficult, its different like passwords you use for the web.
Valuable note. On the other hand I wrote that only simple keyloggers can be fooled that way. Quick search for X11 keyloggers show that basic keyloggers are input-oriented: https://github.com/anko/xkbcat https://github.com/kernc/logkeys And how does Linux X11 virtual keyboards work? Do they also use similar solution (buffer)? My general point in this thread is: If I were to worry about escalating from regular user account to root, I would focus on keylogging and mitigations to it more than length of a root password. I would probably log out from user account and log in to another GUI session to log in to root cmd line. Or log in via SSH from another machine on home network using key-based method rather a password-based. Adres: exploring Wayland is also a possibility. I don't know in practice it is though
