On 20.03.2024 20:28, Jan Krapivin wrote:
I must mention that "32 characters" is only my guess.
In the Handbook it is said: "The root user's password should be long
(12 characters or more) and impossible to guess."
Also, i must again say that in my case we speak just about a humble
home desktop, without a ""ssh" access"" or whatever complicated.
Thank you for your answers and tips. I will make a very strong
password for root and a strong one for a user in the sudo group.
This conclusion seems less than optimal to me.
By condemning yourself to type 12+ character password every time you
'sudo' would really hurt accessibility and usability of your home
computer and for no good reason.
If we focus solely on your use case: a login security of a PC at home,
without remote access, then password of your sudo user could be as short and
simple as four numbers, of course unrelated to your date of birth, phone
number, or any other easily guessable sequence of numbers, like '1234'.
And to prevent guessing password by "bruteforce" you will need to
restrict number of allowed login attempts.
This could be done by enabling and configuring PAM module. ( man
pam_faillock )
If configured correctly after a few failed login attempts user will be
locked out for a configured amount of time and will be unlocked
automatically once time passes.
Also think about this scenario: a visitor or relative will get physical
access to your PC and will be able to type on keyboard, reboot it,
access USB ports, etc.
If perpetrator could do all that, long passwords won't save you, because
it is easy to reset passwords or add a new sudo user without knowing any
passwords.
This could be done by simply booting to live OS on USB drive and
'chroot' into filesystem of your OS.
To defend from this scenario you need to have encrypted filesystem with
a strong password and never leave your PC with logged in session.
Logged in user session could be used by hackers in theory and practice
to exploit a known (unpatched) or an unknown (0-day) vulnerability and
escalate user privileges.
Of course, these hackers have to come into your house first. :)
--
With kindest regards, Alexander.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
