How does a password make my computer more secure?

[superppl]

The has bugged me for some time... I know I'm missing something, but I can't really put my finger on it. Obviously, if your banking online or have something private in public, a good password can keep someone out of your account and messing things up for you.
But on a home computer, I just can't see how a password helps. Is it supposed to protect my files or privacy or something like that? But if someone has physical access to my computer then a livecd will circumvent any password I have. Is it supposed to protect me from malicious users on the internet or on a public network? Don't I have to do something to let them on first?
I've been running months now with password for my account (don't worry, I'd be ****ed to not have a password on root), but this just popped up when I went to test the OpenSUSE 11.2 milestone.


So, I'd like to have this cleared up in my head. How exactly does having a password make my personal computer more secure?

[john_hudson]

To prevent someone using a Live CD, add a BIOS password.

Each password protects in a different way. Having user passwords protects in a variety of other ways, primarily by preventing people who have network, rather than physical, access from breaking the system.

[hcvv]

You forget that Linux is a full fledged Unix like system. This means that it not only caters for your "home system" (where you are apparently alone in the home, some people want to protect against their children), but also for computer room systems with myriads of users (like students, who are almost hackers/crackerss by profession).

And of course, as john_hudson points out, as long as you are connected to the internet any barrier counts.

[TaraIkeda]

Passwords are there to give you needed protection, even if you are the only user on your computer a password is a good idea.
As long as it has access to the net it is vulnerable, windows doubly so.

[superppl]

Lets assume that a few weeks ago I was skating, messed up on a trick, and hit my head.
Can I have a more in depth answer? What specific network vulnerabilities exist and how does a good password help protect me?

[microchip8]

Imagine a hacker trying to gain access/control of your system. He may be stopped by a difficult password. Further, if he somehow manages to get your normal user password but not root's password, the damage can be minimized as he won't be able to totally mess up the whole system but only what you have access to, which depending on the content you keep, can be from minimal to very critial information (one of the reasons to keep backups). Also, since Linux and other Unices are by nature true multiuser systems and each user has its own password, it can also protect (sometimes, not always) against user brain farts or stupidity... eg, rm -rf /usr or some such will not be possible under normal user privileges (thus you can't damage the whole system) hence you have to first login as root which requires a password to be supplied and then do the said action, which is one more step required than on a system where each user has full control of it and can delete anything without anyone stopping him, including other user's stuff

[saahne]

Quote:

Originally Posted by superppl

... But if someone has physical access to my computer then a livecd will circumvent any password I have.

If you really have data worth protecting make sure it's encrypted when not in use and there are encrypted backups.

[smpoole7]

Quote:

Originally Posted by superppl

Lets assume that a few weeks ago I was skating, messed up on a trick, and hit my head.
Can I have a more in depth answer? What specific network vulnerabilities exist and how does a good password help protect me?

Actually, for a single-user system, physically secured, it could be argued that you don't really need a user password. You'd still want to password-protect root, but you acknowledge that above.

As proof of this, many people (including yours truly) set to auto-login on KDE or Gnome. When you boot up, it heads straight into your desktop without prompting. This raises the question: what's the difference between that and just not having a user-level password on a single-user system like yours (or mine, for that matter)? I don't see one.

By the way, I do NOT auto-login on my laptop and it saved my bacon a couple of years ago. Someone stole the one that I owned at that time. Thankfully, I was running Linux with a strong user and root password, and that bought me enough time to get all of my online passwords and banking info changed. I didn't suffer a loss for that one.

(Actually, whoever stole my laptop was probably just looking for a quick pawn, or for a computer for his kids. Imagine his surprise when he booted it and saw, instead of the usual happy Windows splash screen, the Grub menu that defaulted to OpenSuse after 3 seconds!)

(Pondering the look on the thief's face gives me a small moment of pleasure as well.)

[hendersj]

On Tue, 22 Sep 2009 03:46:01 +0000, smpoole7 wrote:

> As proof of this, many people (including yours truly) set to auto-login
> on KDE or Gnome. When you boot up, it heads straight into your desktop
> without prompting. This raises the question: what's the difference
> between that and just not having a user-level password on a single-user
> system like yours (or mine, for that matter)? I don't see one.

It's all about remote access. Set no password on your account and enable
ssh (which is fairly common). On certain of my systems, I also have auto-
login enabled for the desktop. But I also use a password for some SSH
access (inside my own network) and public key authentication for SSH
access to the system that's exposed through the firewall.

And then again if someone breaks into your house and steals your desktop,
not using a password is a good way to lose sensitive information that may
be stored on the machine. (One could argue that on-disk encryption would
also be a good idea in that circumstance)

Jim
--
Jim Henderson
openSUSE Forums Moderator

[hcvv]

@superppl,

I am afraid that you attitude to the subject security is completely different from mine (and a lot of others here). I would never look for arguments for NOT using a user password, because if I overlooked one argument pro, I will be lost. It is no use to find different solutions for all the reasons that people advise you to have passwords so that you have the idea that it is secure to have none. We can always come with a new one, but we won't carry on with this because we either stopped arguing going for something interesting, or we simply did not think about it.

I use passwords because I think that it makes everything (maybe only a little) more secure. I do even have a different user (with password) for management tasks. This is to stress my different roles on the system: as an end-user doing email, surfing, music, whatever and as a system manager. That makes a good base for managing other systems (in the house and beyond).

In a terminal I login as that manager (using a password), connect with SSH to the system to be managed (using a password) and then become root there when needed (using a password).

As my behaviour is so very different from what you try to achieve I do not think that any of my arguments will be understood by you. That is fair enough. And it is quite possible that you never will experience the negative consequences of it. But my advice is: use passwords even if you do not quite understand why, instead of not using them while you do not quite understand why.

Enough of it. Have a nice day and happy computing