The has bugged me for some time… I know I’m missing something, but I can’t really put my finger on it. Obviously, if your banking online or have something private in public, a good password can keep someone out of your account and messing things up for you.
But on a home computer, I just can’t see how a password helps. Is it supposed to protect my files or privacy or something like that? But if someone has physical access to my computer then a livecd will circumvent any password I have. Is it supposed to protect me from malicious users on the internet or on a public network? Don’t I have to do something to let them on first?
I’ve been running months now with password for my account (don’t worry, I’d be ****ed to not have a password on root), but this just popped up when I went to test the OpenSUSE 11.2 milestone. http://img3.imageshack.us/img3/5724/passwordqa.th.png](http://img3.imageshack.us/i/passwordqa.png/)
So, I’d like to have this cleared up in my head. How exactly does having a password make my personal computer more secure?
To prevent someone using a Live CD, add a BIOS password.
Each password protects in a different way. Having user passwords protects in a variety of other ways, primarily by preventing people who have network, rather than physical, access from breaking the system.
You forget that Linux is a full fledged Unix like system. This means that it not only caters for your “home system” (where you are apparently alone in the home, some people want to protect against their children), but also for computer room systems with myriads of users (like students, who are almost hackers/crackerss by profession).
And of course, as john_hudson points out, as long as you are connected to the internet any barrier counts.
Passwords are there to give you needed protection, even if you are the only user on your computer a password is a good idea.
As long as it has access to the net it is vulnerable, windows doubly so.
Lets assume that a few weeks ago I was skating, messed up on a trick, and hit my head.
Can I have a more in depth answer? What specific network vulnerabilities exist and how does a good password help protect me?
Imagine a hacker trying to gain access/control of your system. He may be stopped by a difficult password. Further, if he somehow manages to get your normal user password but not root’s password, the damage can be minimized as he won’t be able to totally mess up the whole system but only what you have access to, which depending on the content you keep, can be from minimal to very critial information (one of the reasons to keep backups). Also, since Linux and other Unices are by nature true multiuser systems and each user has its own password, it can also protect (sometimes, not always) against user brain farts or stupidity… eg, rm -rf /usr or some such will not be possible under normal user privileges (thus you can’t damage the whole system) hence you have to first login as root which requires a password to be supplied and then do the said action, which is one more step required than on a system where each user has full control of it and can delete anything without anyone stopping him, including other user’s stuff
Actually, for a single-user system, physically secured, it could be argued that you don’t really need a user password. You’d still want to password-protect root, but you acknowledge that above.
As proof of this, many people (including yours truly) set to auto-login on KDE or Gnome. When you boot up, it heads straight into your desktop without prompting. This raises the question: what’s the difference between that and just not having a user-level password on a single-user system like yours (or mine, for that matter)? I don’t see one.
By the way, I do NOT auto-login on my laptop and it saved my bacon a couple of years ago. Someone stole the one that I owned at that time. Thankfully, I was running Linux with a strong user and root password, and that bought me enough time to get all of my online passwords and banking info changed. I didn’t suffer a loss for that one.
(Actually, whoever stole my laptop was probably just looking for a quick pawn, or for a computer for his kids. Imagine his surprise when he booted it and saw, instead of the usual happy Windows splash screen, the Grub menu that defaulted to OpenSuse after 3 seconds!)
(Pondering the look on the thief’s face gives me a small moment of pleasure as well.)
On Tue, 22 Sep 2009 03:46:01 +0000, smpoole7 wrote:
> As proof of this, many people (including yours truly) set to auto-login
> on KDE or Gnome. When you boot up, it heads straight into your desktop
> without prompting. This raises the question: what’s the difference
> between that and just not having a user-level password on a single-user
> system like yours (or mine, for that matter)? I don’t see one.
It’s all about remote access. Set no password on your account and enable
ssh (which is fairly common). On certain of my systems, I also have auto-
login enabled for the desktop. But I also use a password for some SSH
access (inside my own network) and public key authentication for SSH
access to the system that’s exposed through the firewall.
And then again if someone breaks into your house and steals your desktop,
not using a password is a good way to lose sensitive information that may
be stored on the machine. (One could argue that on-disk encryption would
also be a good idea in that circumstance)
I am afraid that you attitude to the subject security is completely different from mine (and a lot of others here). I would never look for arguments for NOT using a user password, because if I overlooked one argument pro, I will be lost. It is no use to find different solutions for all the reasons that people advise you to have passwords so that you have the idea that it is secure to have none. We can always come with a new one, but we won’t carry on with this because we either stopped arguing going for something interesting, or we simply did not think about it.
I use passwords because I think that it makes everything (maybe only a little) more secure. I do even have a different user (with password) for management tasks. This is to stress my different roles on the system: as an end-user doing email, surfing, music, whatever and as a system manager. That makes a good base for managing other systems (in the house and beyond).
In a terminal I login as that manager (using a password), connect with SSH to the system to be managed (using a password) and then become root there when needed (using a password).
As my behaviour is so very different from what you try to achieve I do not think that any of my arguments will be understood by you. That is fair enough. And it is quite possible that you never will experience the negative consequences of it. But my advice is: use passwords even if you do not quite understand why, instead of not using them while you do not quite understand why.
Enough of it. Have a nice day and happy computing:)
Thanks for the replies, and hey I hit my head, I didn’t get a lobotomy.
My laptop is frequently used by my mom and sister and a password is a major annoyance to them. A few months ago I had a password for the sole reason of keeping my friend off facebook and therefore my laptop, but I figure there has to be a better reason for needing a password.
I can see where you guys are going with network access needing protection for the sole sake of convience (a really big one) especially if I’m connected to the school’s network and there’s just that one ******* whos desperate to delete last nights homework. I can see that it would be a good idea to have a password just because it gives you a little more protection for virtually no risk and no cost.
And on a unrelated note, cats make difficult keyboards.
hcvv wrote:
> superppl;2042992 Wrote:
>> My laptop is frequently used by my mom and sister and a password is a
>> major annoyance to them.
> And they do let open all doors in and around the house all the time?
> Those people are a danger to themselvees.
>
>
Wow, that is a little bit blown out of proportion there.
My 83-year old mother uses Linux and she accepts that a password is needed. I do most of the maintenance on her PC, so the password is not an issue, although she does note a password is needed for somethings she wants to do. She understands the reason.
But having stated that, I have friends who dislike Linux because of the password requirements. They also happen to be the same people who often catch virus or trojans in Windoze, but that could be a co-incidence. What I do note is while I am disappointed they can not adapt to Linux, I also fully understand their choice to stay with Windoze because they refuse to use a password. And IMHO thats the way it should be.
For those who do not want to use a password, Windoze is a good OS for them. But IMHO we should not in this critical area change Linux to suit those who can not adapt to a security necessity.
What those Linux users skeptical of a password utility might do, is simply check their logs for ssh hack attempts with port #22 open on their Linux PC (but with a good password). On my PC, until I took defensive measures by closing the port (root access was already denied), I was logging hundreds of (failed) hack attempts per day. It was an eye opener.
One only needs one successful hack effort in to root to start making things unpleasant.
I’ve always wondered why people always say make a strong root password. If I were a hacker, getting root would not be one of my priorities. A user password holds much more goodies (emails, bank details, document, etc)
And as previously mentioned a user password is easily put asside with a live-cd. I have used a special Linux-based live-cd to crack Windows installations of people who ‘forgot’ their password. It’s easily done.
Equally, I have full access to other user’s files if I boot a pc with a live-cd. So, the topic is still a good one!
Encryption is the only way to really ensure data security. However, I could not be bothered
Indeed. Which is why one should also always pay attention to physical security. Physical security, while not iron clad by any stretch at all, is still part of the “security chain” and IS important.
A nice thing (for hackers) about remote access/hacking over the Internet is if they take adequate precautions, they are not at physical risk. Break into someone’s house to access their computer, and who knows what sort of physical reception could be waiting for a hacker. Its an entirely different ball game.
On Tue, 22 Sep 2009 22:36:01 +0000, Dexter1979 wrote:
> I’ve always wondered why people always say make a strong root password.
> If I were a hacker, getting root would not be one of my priorities. A
> user password holds much more goodies (emails, bank details, document,
> etc)
Because if you have root then you can get access to all the users’ data,
not just one user’s data.
Most people who wish to penetrate a computer wish to do with without the knowledge that anyone ever messed with your system.
Locally, a livecd takes some time (as in, they will not be able to do this with you in the same house probably), but also when you return to your computer, UNLESS your machine was at the login screen, you’ll be able to tell the machine was rebooted for some reason.
Is it a perfect solution? No. But when you have stuff like ssh access open and no firewall rules or tcpwrappers limiting what ips can connect, and no rsa keys going on, it helps to have that barrier there too.
Want to lock down your home machine? Bios password, use luks to encrypt the hard-drive, password protect grub, and learn how to use iptables/tcpwrappers properly.