52

  • SSH Server: I only allow public-key authentication.

  • Malicious Software: If it's running as my user it has access to my data and an internet connection, it's bad enough already. Yes, su access would make it worse, but the issue here is not password strength but having trusted a malicious application.

  • Physical Access: su access is irrelevant at this point, the attacker has physical access to my hard drive, so they can do as they wish.

So, in what scenario does having a strong password that is error-prone to type help me?

Improve this question
8
  • 9
    Any FDE scenario? In that case physical access is not enough to obtain the data from the drive... obviously depending on the situation one could install an hardware keylogger, but nothing prevents you to disassemble your pc everytime before booting it to check for this.
    – Bakuriu
    Commented Jan 29, 2017 at 22:01
  • 7
    As somebody said, security is like an onion. You need many layers.
    – Wtower
    Commented Jan 30, 2017 at 10:09
  • 1
    You can also disable root logins completely and use ssh with public key authentication.
    – Simon Richter
    Commented Jan 30, 2017 at 10:11
  • 16
    @Wtower I prefer to think of security as being like an ogre. You still get the layers, but now it's mean and green.
    – JAB
    Commented Jan 30, 2017 at 19:15
  • 2
    @Wtower onions don't need many layers, they just happen to have many layers. If they were like a potato, it would also be fine. I'd rather it was something like security is like a lasagne, you need many layers to make it good, and you can't make it at all out of one layer. /off-topic
    – TessellatingHeckler
    Commented Jan 31, 2017 at 8:23

6 Answers 6

Reset to default
63

You seem to have a pretty clear understanding of the risks. As others have stated it highly encouraged to use a strong password, so if you are running a sensitive service, then by all means, please use strong passwords only.

When using a weak password, there are a couple risks that come to mind which you did not mention:

  1. There may be other services besides SSH (e.g. FTP or others) that are still accepting password-based authentication. It's quite possible that one of those services will be accidentally enabled some time in the future, or a sysadmin may temporarily enable password-based authentication on the SSH.

  2. There is an important point you did not mention in regards to malicious applications. In the event of an intrusion to a non-root account, it is extremely important to prevent upgrade to root access. If the root password is weak then you may very well have an open vulnerability there via brute force. Also, supposing there is some other account that has sudo permission, these need strong passwords also.

Do not dismiss the importance of preventing malicious applications from being able to gain root access; and beware of the risk of changes in your configuration. Also there is a strong possibility that you and I do not know the same attack vectors that your adversary does.

You may be able to increase the length of the password to compensate for decreased complexity, thereby making it easier to type. As a touch typist, I have a hard time relating to your problem though.

Improve this answer
11
  • 13
    Great answer, but it might be nice to go into more detail about why it's so important to prevent escalation to root. The big reason that comes to mind is forensics: if attacker only gets user, you have log integrity and can determine what happened, how to prevent it from happening again, and possibly even recover data safely. Most importantly you have a way to know you were compromised. If the attacker gets root, that all goes out the window.
    – R.. GitHub STOP HELPING ICE
    Commented Jan 29, 2017 at 20:49
  • 5
    Thanks for the comment. Ideally we'd have a separate question (with thorough answers) to explain why protecting root is important. Then I could link to it. :-)
    – 700 Software
    Commented Jan 29, 2017 at 21:45
  • brute forcing password on a live system can be subject to throttling, right?
    – Display Name
    Commented Jan 30, 2017 at 6:11
  • @GeorgeBailey How about Why should the *nix system administrator account (root) have a strong password if remote root logins are disabled?
    – user
    Commented Jan 30, 2017 at 10:41
  • 1
    @R It's the difference between one user getting compromised, and every user on the system. But, even on a system with one user, and no network services, protecting root makes recovery easier: if root access was successfully protected from an attack, the user's data must be restored from backup, but the OS itself will be intact
    – jpaugh
    Commented Jan 30, 2017 at 21:56
13

You do not need a strong password.

The advise about password, like so many others, is a safe default that we security professionals give because it is usually a good advise, many people (and companies) don't understand risk very good, and in case of doubt, err on the side of caution.

If you not only understand, but already mitigated the risks, you are good. I myself use a three-character password on my home machine, for the same reason: The main threat to defend against is that a cat walks over the keyboard, unlocks the machine and somehow steps on the "delete everything" key combination.

There are many other scenarios in which you do want a strong password. In fact, in the majority of cases you do. That is why having a strong password is usually a good advise. But anyone telling you that you always, no matter the threat model, must have a strong password doesn't understand security.

Improve this answer
4
  • I agree, the question was not clear in what the scenario was. Some of this can de deduced from the examples offered but still remains open in scope. A password is intended to protect from possible threats. If the threats are weak a password can be weaker. However many people erroneously think that if the threats are rare or unlikely the password may be weak, this is just wishful thinking if you are hoping for security. As Tom writes use a strong password if you are not sure the attack will be weak (cat walk).
    – KalleMP
    Commented Jan 30, 2017 at 9:28
  • 13
    That password wouldn't happen to be Tom, would it? If it is, I strongly suggest changing it to moT for increased security against the cat walking backwards over the keyboard.
    – user
    Commented Jan 30, 2017 at 10:31
  • 11
    To protect the system from the cat, and keep it to 3 letters, change it to Dog. No self-respecting cat would ever type that, even accidentally. Seriously, the risk level, and the damage potential, control the type of password I use. Home computer has no user pass, 3-char root pass. Most online accounts only 8-char. Business stuff at 15 and financial at 23. (Odd numbers intentionally since everyone thinks in 2's and powers of 2.) If, somehow, someone compromises my PC the worst that can happen is I have to reinstall everything, not so banal if they get into my bank account!
    – user135823
    Commented Jan 30, 2017 at 12:23
  • 3
    Although I think George Bailey's answer is better, I greatly appreciate the anti-dogma. After all this is InfoSec SE, not an article in the WSJ. +1
    – Jared Smith
    Commented Jan 30, 2017 at 17:00
7

On the one hand, the fact is that you don't know. A strong password is defense in depth. Say that you (or someone else) installs an additional service that also uses Unix authentication; for example FTP, forgetting that there's not a secure password policy and forgetting to disable local users that are not needed. Now you have a vulnerability.

On the other hand, it's easier to state "you need a strong password" than to state all the conditions where a strong password is not needed. When you know what are you doing, and do it correctly, possibly you can set things up so that you don't even need a login password anymore. At that point you also have the means of taking "You need a strong password" for what it's worth.

Improve this answer
6

I think the question should be "Why NOT use a strong password".

In my opinion, a strong password is the foundation of any secure system. You mentioned some safeguards, but you forgot some other attack vectors: for example, if your server is a web server and you get compromised by a code-execution attack, the attacker would have access just to the www-data user, but if you have weak root passwords, the attacker can easily escalate privileges. Or for example, if the FTP software you use has a vulnerability and someone exploits it, they will be able to get root easily.

Attacks are not only from "malicious software": a simple unpatched Apache can compromise your system.

Keep in mind that you can have strong passwords that are easy to remember. Think about your preferred phrase, modify with few numbers and special characters and that's already more than enough. Example: take the phrase "i love cinnamon rolls from tesco stores" and you can get a strong password: "1lovecinnamon!!!rolls!!!fromtescostores!!"

Improve this answer
6
  • 5
    Mandatory quote: xkcd.com/936 :-)
    – LSerni
    Commented Jan 29, 2017 at 19:23
  • @Tom - having at least some non-dictionary content is a good idea though, as many cracking attempts would try dictionary words and leet-speek over random words.
    – James Snell
    Commented Jan 30, 2017 at 11:43
  • It's irrelevant - the thing that's important is password entropy. The number of characters you use to get there isn't particularly significant unless you've a limit.
    – Sobrique
    Commented Jan 30, 2017 at 13:03
  • @Sobrique of course length gives you an upper bound for entropy so it's somewhat relevant. But it certainly doesn't give a lower bound, so length is not enough. That is, length is necessary and non-sufficient for a secure password
    – Cruncher
    Commented Jan 30, 2017 at 15:18
  • @James - you can use a dictionary as long as you have enough words. 20,000 is the active vocabulary of a typical (not especially educated) native speaker. Even just 5 words from that selection gives you a brute-force complexity of 10^21 - much, much better than even the most optimistic complexity of an 8-character-special-characters-blablabla password.
    – Tom
    Commented Jan 30, 2017 at 20:04
1

Typical deployments of password/secret managers like gnome-keyring or some home-area or file encryption schemes use your login password for encryption.

In those scenarios, a weak password makes it easier for someone to recover your secret data if they can get access to a copy of the hard drive content (like from a backup or a laptop left unattended).

Improve this answer
1

An attacker may be able to gain access to a limited account on your machine, rather than your user account. For example, you may have system services than run either as user "nobody" or some service-specific account like "httpd" or similar. There are often ways in which an attacker can gain access to such an account but not a full user account (for example some services may execute files using such a restricted user, and an attacker may have found a way of pushing files into a place where they will be executed without needing to log in fully). This would allow an attacker to run commands, such as su, but not access any protected files, leaving your password as your last line of defence.

Improve this answer
1
  • cannot su and sudo distinguish password typed from local physical keyboard? it is possible to put command line arguments into shell_exec in php, but password is typed after the "sudo ..." runs, can the password also be provided somehow from inside php?
    – qdinar
    Commented May 29, 2021 at 8:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .