[SOLVED] Are good passwords really required for a home desktop system?

[Jonathan183]

My understanding is one of the weakest links to security is system users. I suspect quite a few home desktop users have a machine which is physically reasonably secure ... if someone breaks into my house the last thing I am worried about is security of PC data!

For users to create good passwords, and updating them on a regular basis may be desirable ... but can be counter productive - post-it notes with passwords etc.

If ssh server is not installed, and local only user login is set through /etc/security/access.conf then are secure passwords really required?

If this approach is taken, what is the real increase in security risk?

[rokytnji]

I have read quite a few threads on this forum about passwords and such. Being Bilingual gives me a certain advantage when it comes to things like that and I am just a home user. I don't sweat it to much , though my wife, A mississippi girl running Windows, is a bigger security leak, than I could ever be running Linux. I guess I figure between CNN and all the other people trying to scare me, that I have enough grey hairs already. I decided a while back that s##t happens and I'll deal with it when it crops up. No useful things happen anyways if I start to worry about something.

So just because I run Linux and my other half runs Windows, how safe am I really?

[Jonathan183]

... running Windows, is a bigger security leak, than I could ever be running Linux. ... So just because I run Linux and my other half runs Windows, how safe am I really?

I understand what you mean, and I don't use Windows for net access at all. My wife only uses Windows for itunes ... to download to an iPod - and this is normally done with the ethernet cable removed

I'm still trying to figure out what the risk is of having less secure passwords for user accounts give:-
machine physically secure
local only login for all users set in /etc/security/access.conf
ssh server not installed

[Thrillhouse]

Some security purists would argue that strong passwords are a requirement as part of a defense-in-depth strategy and that being exposed to the Internet, even if you don't use SSH, is enough to justify the use of elaborate passwords.

I think one thing that often goes overlooked when people talk about security is risk management, identifying the risk and the consequences if that risk is triggered. What is the value of the information you are trying to protect? Are you storing bank account numbers and other personal information on your machine or would it just be some family pictures that would be at risk if someone were to somehow gain control? These are all questions you should be asking yourself. The answers should give you a good idea about what road to go down.

In your case, it sounds like the worst-case scenario is that your machine would be compromised and either a reformat/reinstall or changing of the root password would be required. That doesn't sound all too dire so really strong passwords might not be necessary when there are other, more basic security mechanisms that can serve you better than password strength will.

[Jonathan183]

...I think one thing that often goes overlooked when people talk about security is risk management, identifying the risk and the consequences if that risk is triggered. What is the value of the information you are trying to protect? Are you storing bank account numbers and other personal information on your machine or would it just be some family pictures that would be at risk if someone were to somehow gain control? These are all questions you should be asking yourself. The answers should give you a good idea about what road to go down.

In your case, it sounds like the worst-case scenario is that your machine would be compromised and either a reformat/reinstall or changing of the root password would be required. That doesn't sound all too dire so really strong passwords might not be necessary when there are other, more basic security mechanisms that can serve you better than password strength will.

I think I generally fall into the latter category - family photos etc., I don't remember storing bank account details or other info which would be disasterous if it became public knowledge ... but the search to convice myself of this completely may take a while

What sort of attack do you think I could suffer which is dependent of normal user password strength? ... or to put it another way - since ssh is not available and access.conf should only allow local login what sort of attack will strong user passwords protect against?

[bigtomrodney]

I don't remember storing bank account details or other info which would be disasterous if it became public knowledge ...

An important question to ask yourself. Have you ever used the web to log on to any account at all...eBay, PayPal, your personal banking online, Amazon, play.com.... anything like that? If you have firefox remember passwords that's a big risk. Hell if you only have it remember the username through auto-form-filling you've already given away half the game.

Any personal information...and I mean ANY can be used in identity theft. I'm not talking about the secret 20 digit code you use for banking. I'm talking about the hints to your address, your password recovery question might well be your Mother's maiden name. The same question your credit card might ask you when you are having a new PIN or card issued .

It depends on how paranoid you are but unless you are using it as a music or video server the chances are there is a lot more personal information at stake than you have considered.

[Jonathan183]

An important question to ask yourself. Have you ever used the web to log on to any account at all...eBay, PayPal, your personal banking online, Amazon, play.com.... anything like that? If you have firefox remember passwords that's a big risk. Hell if you only have it remember the username through auto-form-filling you've already given away half the game.

.... It depends on how paranoid you are but unless you are using it as a music or video server the chances are there is a lot more personal information at stake than you have considered.

I use firefox and have it set to wipe all personal data on exit ... and have unchecked history, forms, and downloads. I think I have things set so a normal user can't su (not in wheel group & /etc/pam.d/su requires wheel), and can't sudo. So I'm struggling to see what sort of attack a strong user password would help prevent.

[SinShiva]

i run a relatively simple 5 character password for my user's login, but my root password is much more complex using ~ as the first character - provided you aren't using a machine the way i do for professional use, this works well enough for me. the rest of the security relies on correct use of permissions. meaning, don't chmod 777 crap to make it work.

[Jonathan183]

i run a relatively simple 5 character password for my user's login, but my root password is much more complex using ~ as the first character - provided you aren't using a machine the way i do for professional use, this works well enough for me. the rest of the security relies on correct use of permissions. meaning, don't chmod 777 crap to make it work.

Keeping a good root password should be easy for most its the regular user accounts where the issues crop up. If system admin can't be bothered with good passwords then things are in a bad way . May need to go back and double check data info isn't chmod 777

[Jonathan183]

I actually changed my system admin approach as well ... did this a while ago ...

I came to the conclusion that I am too dumb to prevent exploits so I have:-

1. a normal user account for day-to-day stuff - surf the net etc with no sudo rights and limited access.
2. other users for day-to-day stuff - limited access.
3. my admin login which I have sudoers setup for regular admin tasks like running pacman, rkhunter etc.
4. a Crux install - which I crippled net access on which I use to chroot to my other installs when I need to - have scripts to chroot ... I could probably type it in by now without writing it down
5. have root user account locked to prevent access.

I've still retained the lockdown on access control but think I now probably have things as secure as I am going to get for a desktop ... different approach to online banking (I could tell you but then I'd have to shoot you )

Ed: set firefox store all your personal crap off, reset chown and chmod on home and user data areas just incase I was tempted to chmod 777 things at some point ...
note to self - don't chmod 777 anything again ever !