Root password strength

New to Debian (Or Linux in general)? Ask your questions here!
Message
Author
User avatar
alienspy
Posts: 201
Joined: 2023-02-12 15:37
Has thanked: 104 times
Been thanked: 9 times

Root password strength

#1 Post by alienspy »

I read Debian Administrator's handbook now. And there are such words:
The root user's password should be long (12 characters or more) and impossible to guess. Indeed, any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts with the most obvious passwords. Sometimes it may even be subject to dictionary attacks, in which many combinations of words and numbers are tested as password. Avoid using the names of children or parents, dates of birth, etc.: many of your co-workers might know them, and you rarely want to give them free access to the computer in question.
The thing is my password is very easy now, and i haven't thought about "automated connection attempts", that sounds rather... scary? My password is easy because i am not afraid of direct physical access to the computer.

But... if there is a serious network danger, then i should change my password of course. But how strong it should be? If we speak about network attacks... it should be like 32 symbols with special symbols? Or this paragraph in handbook is rather paranoid?

I have activated sudo now for my regular user. Can it (password of regular user) be less sophisticated than root password? Because it would be rather difficult to enter 32 symbols every time i wake my PC after suspend. :?

User avatar
kent_dorfman766
Posts: 549
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 61 times
Been thanked: 70 times

Re: Root password strength

#2 Post by kent_dorfman766 »

There is no good answer to this. If someone tells you 12 chars of jibberish is OK, then next week that will be considered insecure. Don't rely upon passwords as the keys to the castle. lock down your overall environment with multiple layers of security: network access, managed users, disallow remote root login, etc.

and most importantly...stick to a good auditing practice. Nothing worse than having an intrusion that goes undetected. view your router and syslog logs for suspicious activity frequently.

friendlysalmon88
Posts: 109
Joined: 2023-12-08 16:48
Location: Seattle,Wa USA
Has thanked: 6 times
Been thanked: 7 times

Re: Root password strength

#3 Post by friendlysalmon88 »

All of the best common practices are on that a suggestion and nothing else. There's also recommended that you try to come as close to them as possible so that your information security can't come under fire from unwanted attack.

User avatar
pbear
Posts: 501
Joined: 2023-08-27 15:05
Location: San Francisco
Has thanked: 2 times
Been thanked: 81 times

Re: Root password strength

#4 Post by pbear »

Does anyone have a link or two handy about this happening "in the wild," i.e., the real world? Shark attacks are scary also, but exceedingly rare. As in, statistically speaking, effectively indistinguishable from zero.

User avatar
fabien
Forum Helper
Forum Helper
Posts: 1146
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 100 times
Been thanked: 260 times

Re: Root password strength

#5 Post by fabien »

alienspy wrote: 2024-03-19 10:15 if there is a serious network danger, then i should change my password of course. But how strong it should be?
There are lots of articles about this, I think this one gives a good idea of the problem: About password complexity: Are we fooling ourselves?
However, I don't completely agree on the solution. If you take the proposed password example “Mywifeisallmylove” (“difficult to crack (by a computer)” and “has the advantage of being easy to remember”) it is actually difficult to crack by a computer unless the method uses combinations of words found in a dictionary. “Myw1fe1sallmyl0ve” complicates dictionary attack, as does “Mafemmeestmonseulamour” which involves a French dictionary.
pbear wrote: 2024-04-12 02:56 Does anyone have a link or two handy about this happening "in the wild," i.e., the real world?
Not a link but open port 22 and look at your logs.
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

User avatar
pbear
Posts: 501
Joined: 2023-08-27 15:05
Location: San Francisco
Has thanked: 2 times
Been thanked: 81 times

Re: Root password strength

#6 Post by pbear »

fabien wrote: 2024-04-12 12:01 Not a link but open port 22 and look at your logs.
At the risk of sounding clueless, how does one do that? And I'm guessing it shows a bunch of random pings, not necessarily (or even likely) attempted intrusions.

User avatar
Uptorn
Posts: 379
Joined: 2022-01-22 01:07
Has thanked: 301 times
Been thanked: 100 times

Re: Root password strength

#7 Post by Uptorn »

alienspy wrote: 2024-03-19 10:15 it should be like 32 symbols with special symbols? ... it would be rather difficult to enter 32 symbols every time i wake my PC after suspend.
fabien wrote: 2024-04-12 12:01 There are lots of articles about this, I think this one gives a good idea of the problem: About password complexity: Are we fooling ourselves?
However, I don't completely agree on the solution. If you take the proposed password example “Mywifeisallmylove” (“difficult to crack (by a computer)” and “has the advantage of being easy to remember”) it is actually difficult to crack by a computer unless the method uses combinations of words found in a dictionary. “Myw1fe1sallmyl0ve” complicates dictionary attack, as does “Mafemmeestmonseulamour” which involves a French dictionary.
The main reason that special characters and capitalization are often suggested is to expand the pool of character entropy. A US keyboard having only romanized english alphabet (26 letters) and the ten numeric digits makes easier the pre-computation of all possible combinations for 8-character, or 10-character, or 32-character passphrases and beyond.

I agree that expecting end users to memorize sophisticated alphanumeric passphrases is a tall order, and will often lead to lazy passwords from fatigued users. A way to overcome this (and similar to the suggestion by the above linked article) is to move the base unit comprising passphrases away from strictly alphanumeric keyboard characters and to whole words, greatly expanding the entropy pool of possible base components of a passphrase.

And avoid using structured, parsable sentences. Complete randomness is desired and so one can look to "Diceware" (using real dice, not the software "dice" they provide on that page!). One should generate passphrases of at least six words.

No fuss having to worry about special characters or cryptic alphanumeric substitutions. :D

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 1043
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 114 times
Been thanked: 176 times

Re: Root password strength

#8 Post by wizard10000 »

One thing I haven't seen asked - is this machine accessible from outside your home network? If so I'd recommend a strong-ish password. If your router is using NAT (it most likely is) and there are no ports forwarded to your machine (unlikely unless you set this up on your router) I think you can relax a little bit.

Of course, physical security is and always will be paramount.
we see things not as they are, but as we are.
-- anais nin

Bulkley
Posts: 6405
Joined: 2006-02-11 18:35
Has thanked: 5 times
Been thanked: 46 times

Re: Root password strength

#9 Post by Bulkley »

The other end of this thread is what happens if your computer/laptop/phone is lost/stolen. I suggest that you don't put anything on your computer that you aren't prepared to share with the world.

If your router/modem has security settings set it for maximum protection. It won't cost you anything to do this.

User avatar
fabien
Forum Helper
Forum Helper
Posts: 1146
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 100 times
Been thanked: 260 times

Re: Root password strength

#10 Post by fabien »

pbear wrote: 2024-04-12 13:52
fabien wrote: 2024-04-12 12:01 Not a link but open port 22 and look at your logs.
At the risk of sounding clueless, how does one do that? And I'm guessing it shows a bunch of random pings, not necessarily (or even likely) attempted intrusions.
By "open port 22" I mean exposing your SSH server, and yes, I'm talking about intrusion attempts. There are bots that do this all the time looking for weak user/password pairs like john/john, john/1234, root/admin, admin/admin, etc. Thousands of lines in the logs.
wizard10000 wrote: 2024-04-12 15:22 If your router is using NAT (it most likely is) and there are no ports forwarded to your machine (unlikely unless you set this up on your router) I think you can relax a little bit.
My ISP didn't warn when it enabled IPv6 though.
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

User avatar
sunrat
Site admin
Site admin
Posts: 7320
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 130 times
Been thanked: 640 times

Re: Root password strength

#11 Post by sunrat »

Obligatory XKCD every time this topic arises. :mrgreen:
Image
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

jpaulb
Posts: 93
Joined: 2007-12-19 17:23
Has thanked: 8 times
Been thanked: 1 time

Re: Root password strength

#12 Post by jpaulb »

There is a site called https://www.passwordmonster.com that "might" help with password strenght.

User avatar
pbear
Posts: 501
Joined: 2023-08-27 15:05
Location: San Francisco
Has thanked: 2 times
Been thanked: 81 times

Re: Root password strength

#13 Post by pbear »

fabien wrote: 2024-04-12 20:56 By "open port 22" I mean exposing your SSH server ...
Ah, I feel less clueless, then. Don't have one. Nothing in the thread suggests the OP does either.

Even for folks who do, my point remains. Non-zero risk is everywhere, but non-zero is not the same thing as meaningful.
If there's no evidence these theories are being exploited, ya'll are pretty much wasting your time. IMHO.

User avatar
alienspy
Posts: 201
Joined: 2023-02-12 15:37
Has thanked: 104 times
Been thanked: 9 times

Re: Root password strength

#14 Post by alienspy »

wizard10000 wrote: 2024-04-12 15:22 One thing I haven't seen asked - is this machine accessible from outside your home network?

The answer is no.

But i have changed my easy root password for 17 length (letters, numbers and special symbols) password. Also i have enabled sudo and gave a sudo user 12 length password (letters and numbers).

Both passwords are written in KeepassXC and in a very cryptic way on a paper.

If somebody will gets a physical access to my desktop PC, then the situation is so bad, though, i don't care about root password. Probably should make an encrypted folder if i would have smth serious to hide : )

BTW, can you make a self-destructive folder?

Image

jpaulb
Posts: 93
Joined: 2007-12-19 17:23
Has thanked: 8 times
Been thanked: 1 time

Re: Root password strength

#15 Post by jpaulb »

BTW, can you make a self-destructive folder?
I tried an encryption app which wasn't quite self distructive in the normal sense. You used a password to encrypt a file. To decrypt was like normal, enter password; BUT: if the password was wrong the file was encrypted again with that wrong password. Then to decrypt, the wrong password and the right password had to be entered in that order. If someone tried a dictonary search to unlock the file; well good luck. The was another I tried, the encrypted file didn't show up in the file browser at all until its password was entered. Neither of those really took off.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2088
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 160 times
Been thanked: 225 times

Re: Root password strength

#16 Post by Hallvor »

alienspy wrote: 2024-03-19 10:15 The thing is my password is very easy now, and i haven't thought about "automated connection attempts", that sounds rather... scary? My password is easy because i am not afraid of direct physical access to the computer.
This is mostly the case if you for some strange reason run an SSH server on your computer. There are many bots probing servers for weak passwords, mostly trying passwords like "root", "1234", "admin", etc., and then move on. If that concerns you, remote SSH access can be disabled to get rid of such noise.
But... if there is a serious network danger, then i should change my password of course. But how strong it should be? If we speak about network attacks... it should be like 32 symbols with special symbols? Or this paragraph in handbook is rather paranoid?
Better safe than sorry. If there is a vulnerability in Debian, and one of the user accounts get compromised, a strong root password is better than a weak one. I'm not downplaying that a single compromised user account alone can have serious consequences, like loss of data and further security breaches.
I have activated sudo now for my regular user. Can it (password of regular user) be less sophisticated than root password? Because it would be rather difficult to enter 32 symbols every time i wake my PC after suspend. :?
If your user account gets hacked, the attacker de facto has root, then.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 1043
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 114 times
Been thanked: 176 times

Re: Root password strength

#17 Post by wizard10000 »

fabien wrote: 2024-04-12 20:56...My ISP didn't warn when it enabled IPv6 though.
I guess one could disable IPv6 on the machine - at least that's what I do. It's also disabled on my ISP-provided router but I disable it on workstations just in case my ISP changes its mind :mrgreen:
we see things not as they are, but as we are.
-- anais nin

User avatar
alienspy
Posts: 201
Joined: 2023-02-12 15:37
Has thanked: 104 times
Been thanked: 9 times

Re: Root password strength

#18 Post by alienspy »

wizard10000 wrote: 2024-04-13 16:36
fabien wrote: 2024-04-12 20:56...My ISP didn't warn when it enabled IPv6 though.
I guess one could disable IPv6 on the machine - at least that's what I do.
Why? What are downsides? My ISP doesn't have IPv6 and i thought it is a bad thing because, as i read, all modern internet use IPv6.

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 1043
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 114 times
Been thanked: 176 times

Re: Root password strength

#19 Post by wizard10000 »

alienspy wrote: 2024-04-13 17:18Why? What are downsides? My ISP doesn't have IPv6 and i thought it is a bad thing because, as i read, all modern internet use IPv6.
There is no accepted standard for network address translation in IPv6 so your IPv6 address is a public address and can be reached from just about anywhere on the internet; those bots can hit your IPv6 address from outside your network.

Modern internet does use IPv6 but doesn't use it exclusively. I'm not sure any public websites have switched to IPv6 only.
we see things not as they are, but as we are.
-- anais nin

User avatar
alienspy
Posts: 201
Joined: 2023-02-12 15:37
Has thanked: 104 times
Been thanked: 9 times

Re: Root password strength

#20 Post by alienspy »

wizard10000 wrote: 2024-04-13 17:35 Modern internet does use IPv6 but doesn't use it exclusively. I'm not sure any public websites have switched to IPv6 only.
Any downsides of not using IPv6? Aren't they going to completely switch to IPv6?

Post Reply