Root password strength

[alienspy]

I read Debian Administrator's handbook now. And there are such words:

The root user's password should be long (12 characters or more) and impossible to guess. Indeed, any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts with the most obvious passwords. Sometimes it may even be subject to dictionary attacks, in which many combinations of words and numbers are tested as password. Avoid using the names of children or parents, dates of birth, etc.: many of your co-workers might know them, and you rarely want to give them free access to the computer in question.

The thing is my password is very easy now, and i haven't thought about "automated connection attempts", that sounds rather... scary? My password is easy because i am not afraid of direct physical access to the computer.

But... if there is a serious network danger, then i should change my password of course. But how strong it should be? If we speak about network attacks... it should be like 32 symbols with special symbols? Or this paragraph in handbook is rather paranoid?

I have activated sudo now for my regular user. Can it (password of regular user) be less sophisticated than root password? Because it would be rather difficult to enter 32 symbols every time i wake my PC after suspend.

[kent_dorfman766]

There is no good answer to this. If someone tells you 12 chars of jibberish is OK, then next week that will be considered insecure. Don't rely upon passwords as the keys to the castle. lock down your overall environment with multiple layers of security: network access, managed users, disallow remote root login, etc.

and most importantly...stick to a good auditing practice. Nothing worse than having an intrusion that goes undetected. view your router and syslog logs for suspicious activity frequently.

[friendlysalmon88]

All of the best common practices are on that a suggestion and nothing else. There's also recommended that you try to come as close to them as possible so that your information security can't come under fire from unwanted attack.

[pbear]

Does anyone have a link or two handy about this happening "in the wild," i.e., the real world? Shark attacks are scary also, but exceedingly rare. As in, statistically speaking, effectively indistinguishable from zero.

[fabien]

if there is a serious network danger, then i should change my password of course. But how strong it should be?

There are lots of articles about this, I think this one gives a good idea of the problem: About password complexity: Are we fooling ourselves?
However, I don't completely agree on the solution. If you take the proposed password example “Mywifeisallmylove” (“difficult to crack (by a computer)” and “has the advantage of being easy to remember”) it is actually difficult to crack by a computer unless the method uses combinations of words found in a dictionary. “Myw1fe1sallmyl0ve” complicates dictionary attack, as does “Mafemmeestmonseulamour” which involves a French dictionary.

Does anyone have a link or two handy about this happening "in the wild," i.e., the real world?

Not a link but open port 22 and look at your logs.

[pbear]

Not a link but open port 22 and look at your logs.

At the risk of sounding clueless, how does one do that? And I'm guessing it shows a bunch of random pings, not necessarily (or even likely) attempted intrusions.

[Uptorn]

it should be like 32 symbols with special symbols? ... it would be rather difficult to enter 32 symbols every time i wake my PC after suspend.

There are lots of articles about this, I think this one gives a good idea of the problem: About password complexity: Are we fooling ourselves?
However, I don't completely agree on the solution. If you take the proposed password example “Mywifeisallmylove” (“difficult to crack (by a computer)” and “has the advantage of being easy to remember”) it is actually difficult to crack by a computer unless the method uses combinations of words found in a dictionary. “Myw1fe1sallmyl0ve” complicates dictionary attack, as does “Mafemmeestmonseulamour” which involves a French dictionary.

The main reason that special characters and capitalization are often suggested is to expand the pool of character entropy. A US keyboard having only romanized english alphabet (26 letters) and the ten numeric digits makes easier the pre-computation of all possible combinations for 8-character, or 10-character, or 32-character passphrases and beyond.

I agree that expecting end users to memorize sophisticated alphanumeric passphrases is a tall order, and will often lead to lazy passwords from fatigued users. A way to overcome this (and similar to the suggestion by the above linked article) is to move the base unit comprising passphrases away from strictly alphanumeric keyboard characters and to whole words, greatly expanding the entropy pool of possible base components of a passphrase.

And avoid using structured, parsable sentences. Complete randomness is desired and so one can look to "Diceware" (using real dice, not the software "dice" they provide on that page!). One should generate passphrases of at least six words.

No fuss having to worry about special characters or cryptic alphanumeric substitutions.

[wizard10000]

One thing I haven't seen asked - is this machine accessible from outside your home network? If so I'd recommend a strong-ish password. If your router is using NAT (it most likely is) and there are no ports forwarded to your machine (unlikely unless you set this up on your router) I think you can relax a little bit.

Of course, physical security is and always will be paramount.

[Bulkley]

The other end of this thread is what happens if your computer/laptop/phone is lost/stolen. I suggest that you don't put anything on your computer that you aren't prepared to share with the world.

If your router/modem has security settings set it for maximum protection. It won't cost you anything to do this.

[fabien]

Not a link but open port 22 and look at your logs.

At the risk of sounding clueless, how does one do that? And I'm guessing it shows a bunch of random pings, not necessarily (or even likely) attempted intrusions.

By "open port 22" I mean exposing your SSH server, and yes, I'm talking about intrusion attempts. There are bots that do this all the time looking for weak user/password pairs like john/john, john/1234, root/admin, admin/admin, etc. Thousands of lines in the logs.

If your router is using NAT (it most likely is) and there are no ports forwarded to your machine (unlikely unless you set this up on your router) I think you can relax a little bit.

My ISP didn't warn when it enabled IPv6 though.

[sunrat]

Obligatory XKCD every time this topic arises.

[jpaulb]

There is a site called https://www.passwordmonster.com that "might" help with password strenght.

[pbear]

By "open port 22" I mean exposing your SSH server ...

Ah, I feel less clueless, then. Don't have one. Nothing in the thread suggests the OP does either.

Even for folks who do, my point remains. Non-zero risk is everywhere, but non-zero is not the same thing as meaningful.
If there's no evidence these theories are being exploited, ya'll are pretty much wasting your time. IMHO.

[alienspy]

One thing I haven't seen asked - is this machine accessible from outside your home network?

The answer is no.

But i have changed my easy root password for 17 length (letters, numbers and special symbols) password. Also i have enabled sudo and gave a sudo user 12 length password (letters and numbers).

Both passwords are written in KeepassXC and in a very cryptic way on a paper.

If somebody will gets a physical access to my desktop PC, then the situation is so bad, though, i don't care about root password. Probably should make an encrypted folder if i would have smth serious to hide : )

BTW, can you make a self-destructive folder?

[jpaulb]

BTW, can you make a self-destructive folder?

I tried an encryption app which wasn't quite self distructive in the normal sense. You used a password to encrypt a file. To decrypt was like normal, enter password; BUT: if the password was wrong the file was encrypted again with that wrong password. Then to decrypt, the wrong password and the right password had to be entered in that order. If someone tried a dictonary search to unlock the file; well good luck. The was another I tried, the encrypted file didn't show up in the file browser at all until its password was entered. Neither of those really took off.

[Hallvor]

The thing is my password is very easy now, and i haven't thought about "automated connection attempts", that sounds rather... scary? My password is easy because i am not afraid of direct physical access to the computer.

This is mostly the case if you for some strange reason run an SSH server on your computer. There are many bots probing servers for weak passwords, mostly trying passwords like "root", "1234", "admin", etc., and then move on. If that concerns you, remote SSH access can be disabled to get rid of such noise.

But... if there is a serious network danger, then i should change my password of course. But how strong it should be? If we speak about network attacks... it should be like 32 symbols with special symbols? Or this paragraph in handbook is rather paranoid?

Better safe than sorry. If there is a vulnerability in Debian, and one of the user accounts get compromised, a strong root password is better than a weak one. I'm not downplaying that a single compromised user account alone can have serious consequences, like loss of data and further security breaches.

I have activated sudo now for my regular user. Can it (password of regular user) be less sophisticated than root password? Because it would be rather difficult to enter 32 symbols every time i wake my PC after suspend.

If your user account gets hacked, the attacker de facto has root, then.

[wizard10000]

...My ISP didn't warn when it enabled IPv6 though.

I guess one could disable IPv6 on the machine - at least that's what I do. It's also disabled on my ISP-provided router but I disable it on workstations just in case my ISP changes its mind

[alienspy]

...My ISP didn't warn when it enabled IPv6 though.

I guess one could disable IPv6 on the machine - at least that's what I do.

Why? What are downsides? My ISP doesn't have IPv6 and i thought it is a bad thing because, as i read, all modern internet use IPv6.

[wizard10000]

Why? What are downsides? My ISP doesn't have IPv6 and i thought it is a bad thing because, as i read, all modern internet use IPv6.

There is no accepted standard for network address translation in IPv6 so your IPv6 address is a public address and can be reached from just about anywhere on the internet; those bots can hit your IPv6 address from outside your network.

Modern internet does use IPv6 but doesn't use it exclusively. I'm not sure any public websites have switched to IPv6 only.

[alienspy]

Modern internet does use IPv6 but doesn't use it exclusively. I'm not sure any public websites have switched to IPv6 only.

Any downsides of not using IPv6? Aren't they going to completely switch to IPv6?