I'm still Learning & Loving Linux (L&LL). Early on it became apparent that accessing many aspects of Linux require the root PassWord (PW). Lazy me -- I chose a fairly simple one. However, I have become convinced that I should switch the PW to something FAR more difficult to crack. Q1- Do you agree? If you agree, then my goal is to find a method for creating a hard-to-crack PW that is, at the same time, easy to remember. Here are my ideas so far: 1- Use a literary passage but use phonics. Example (from Hamlet's soliloquy by Shakespeare): 2brnot2b,thatizth3qwestyun 2- OR use a longer literary passage --but not an easily guessed one like Shakespeare. Example (from To Kill a Mockingbird): Whenhewasnearly13,mybrotherJemgothisarmbadlybroken 3- OR use something I have memorized, written backwards. Example: (from u no where) dlrow3thdevelosdoGroF Q2- Which (if any) of my 3 ideas do you think might be okay -- that is, it looks to be sufficiently secure for a non-paranoid user? Q3- Do you have a different method? If so, please share.
Quoting 1Password: The tools that attackers use to guess passwords are designed to account for all the tricks we use when we come up with passwords ourselves. When our passwords are analyzed by computers, they aren’t as random as we’d like to think they are. Have a look at Diceware to create a true random password (that you can still remember) by throwing dice.
@Brian K -- It's for root PW. I configured Zorin not to require a log-on PW. There's only me & I'm housebound. (I'm a widower & the kids are grown.) @XIII & @zapjb -- Great suggestions!!! That's what I shall do. For lucky XIII -- a special thanks for the diceware link. It is both useful AND instructive.
Some distros essentially give root privileges to non-root user, so it is wise to have that one PW with similar complexity. Personally I don't have strong password to root on laptop. I don't have remote login enabled, so I don't see much value here. If you do have remote login via SSH, consider disabling password method for root account and replace it with SSH key. I have strong password for LUKS (mass storage encryption), and password managers
I don't understand. Which Distros give root privileges to non-root users, and which do not? And how would someone know which do & which don't? And why on earth would any Distro make such a sacrifice in security? Finally, I am completely at sea with respect to your statement "...it is wise to have one with similar complexity." One what? One distro? Or One root password? Please elaborate a bit.
I don't do distro hopping so I can't provide list. Ubuntu was doing it. You still need to reenter user pasword to do root things.
Sorry, wrong wording. Passwords of user account in sudoers group (privilege to use sudo for any command) should have similar complexity to root password.
I used the terminal to change my password. It was VERY unfriendly because terminal does not seem to respond while I type the new PW. That is, while typing the new PW, terminal merely shows a single, unmoving white block -- no asterisks and no ability to make the new PW visible as I typed. Of course, terminal requires me to re-type password again to verify. However, the lack of any visual support whatsoever left me unable to check EXACTLY what the terminal saw & accepted. RESULT: After I invisibly typed & re-typed the new PW, terminal said new PW was accepted. However, when I tried to use the new PW, it repeatedly failed. I had to jump through some hoops in order to get things squared away. The terminal's absence of visible help while inputting a long PW adds zero-point-zilch to security and is an invitation to a huge pain in the anatomy.
That's too complicated for me. I'm using Linux Mint. I have a logon password but I don't have to type it to logon. Auto logon. I'm happy with a simple logon password such as abc. So I can do... sudo abc
Yeah, it is confusing to type password and not see asterisks. There is supposedly a way by outputing file content by cat to passwd or chpasswd, then shredding file. Or by echo command, but that would require preparing terminal to not save history on space prepended commands, to do that safely. If command line is in emulated terminal you can probably copy paste it from notepad or password manager I still am not convinced that most people need long, complex password for login to personal Linux laptop, that has SSH server disabled. Disk encryption on my computer is guarded by different password, and login/root paswds are mostly for screen locker.
Best is to not use passwords for root. Here's how I do on a new system: Change the sshd_config file to not allow passwords for root. Edit the file /etc/ssh/sshd_config and the line to say: Code: PermitRootLogin without-password In the same file, change the line with password authentication to say: Code: PasswordAuthentication no Now you must have created a non-root user while installing the OS. Add the blurb for that user in the same file: Code: Match User myuser PasswordAuthentication yes You now have two options to get to root: Use a strong password for your "myuser" account and then sudo to root, or setup keys for your root account and use those. Anyone attempting to login to root with a password won't be allowed. Anyone trying to use a password for any other account on the system will not be allowed, and only your user will be allowed to login using a password.
If you need an admin password, add yourself to the wheel group. On Ubuntu/Debian: usermod -aG sudo UserNameHere On RHEL/Fedora/openSUSE: usermod -aG wheel User-Name-Here In case you forgot or overlooked making yourself the admin during install.
This is only disabling login with password via SSH - mostly remote login It won't disable local login to root. I mean it is good advice, just not complete
Atm I'm using ubuntu and encrypted the disk during installation. The encryption password is about 18+ chars (words from two languages with a few numbers and special chars). The login which also seems to serve as the admin password on the other hand is a lot shorter. I wouldn't want to enter 18+ chars for ever software install I'd rather do it once for the encryption. Disclaimer from a quite new ubuntu user: Since this is my" toy around system" I got not clue how easy it is to backup and restore encrypted partitions and I would just reinstall it if I break it
@Freki123 -- That's an interesting idea. However, I wonder -- once you log in & decrypt the system disk, isn't it vulnerable during the time you are using your computer and the disk is not encrypted? BTW -- in all the years that I have used computers, I have never looked into the in's & out's of disk encryption. Thus, my question may not be applicable. If so, my apologies in advance.
@bellgaming Its "on-the-fly" encryption. On the windows side, one of the best what i've tested is Jetico Do not use GOST as a encryption scheme. Use AES, because many CPUs supports so called AES-NI features, which speeds up on-the-fly encryption.
I can only tell you my view of things for doing it since I'm no linux profi. When a person can get around the disk encryption with 18+ chars (which also seems to have a small timer if you enter wrong) I don't think an admin password would stop him anymore. So my admin password is fast to type 10+ chars one (which makes updating and installing not to annoying for me). Afaik yes the data is open after entering the encryption password but you would have to get that first. And then the about 10+ char root pw. For a normal thief/visitor it wouldn't be worth the time. Since I don't leave my pc really unattended I can live with the data open at that time. Tldr: Since it's not my productive system I'd rather type a long encryption password only once instead of a long root password for every install/ or Firefox update (which would drive me crazy). But like a said I don't care about a backup for this setting (which may be possible but I never researched how).
Then why do you want a long, complicated password for elevating to root privileges, if you are just allowing to login without a password? Sorry, but this makes no sense to me. I would suggest an easy to remember 10-12 character pw for login and something similar for elevating to root, maybe even use the same pw for both purposes. If you have important, private data stored on the drive that you wouldn't want anyone to see, then you might want to consider drive encryption. My MX-21 /home partition is encrypted, requiring a passphrase upon boot up. Alternatively, you could store this type of data on a separate encrypted partition or usb drive.
+1 I use 8-10 character long passwords for those purposes Yeah, somebody can just go and copy files. Thus screenlocker with a password. Bruteforcing password by typing in keyboard takes much more time than with direct access to password's hash. No need for 16+ long password in my opinion. Screenlocker won't save you from cold boot attacks regardless of how long and compllicated your passwords are.
Hola wat0114: My laptop stays home - always. I am old, grouchy, and heavily armed. Ergo, login PW is not needed. However, in the event of a cyber-intruder -- from Funafuti, China, Montreal, Mars, Uranus, or wherever -- if he sneaks in thru my internet connection, I don't want him rooting around inside my laptop's knickers. Since I will VERY rarely access that root stuff myself, a complex PW won't be a problem for me, but I do want it to be a huge problem for any cyber-intruder.
I'm still sceptical. Escalating from regular user X11 GUI session usually isn't that hard for cyberattattackers.
