52
  • SSH Server: I only allow public-key authentication.

  • Malicious Software: If it's running as my user it has access to my data and an internet connection, it's bad enough already. Yes, su access would make it worse, but the issue here is not password strength but having trusted a malicious application.

  • Physical Access: su access is irrelevant at this point, the attacker has physical access to my hard drive, so they can do as they wish.

So, in what scenario does having a strong password that is error-prone to type help me?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Alex
  • 819
  • 1
  • 7
  • 11
  • 9
    Any FDE scenario? In that case physical access is *not* enough to obtain the data from the drive... obviously depending on the situation one could install an hardware keylogger, but nothing prevents you to disassemble your pc everytime before booting it to check for this. – Bakuriu Jan 29 '17 at 22:01
  • 7
    As somebody said, security is like an onion. You need many layers. – Wtower Jan 30 '17 at 10:09
  • 1
    You can also disable root logins completely and use ssh with public key authentication. – Simon Richter Jan 30 '17 at 10:11
  • 16
    @Wtower I prefer to think of security as being like an ogre. You still get the layers, but now it's mean and green. – JAB Jan 30 '17 at 19:15
  • @Bakuriu You're still assuming that the OEM parts are un-compromised --- granted, if your enemy secretly controls an OEM, then you've probably got more pressing concerns than virtual security. – jpaugh Jan 30 '17 at 22:03
  • 2
    @Wtower onions don't *need* many layers, they just happen to *have* many layers. If they were like a potato, it would also be fine. I'd rather it was something like *security is like a lasagne, you need many layers to make it good, and you can't make it at all out of one layer*. /off-topic – TessellatingHeckler Jan 31 '17 at 08:23
  • @JAB what about parfait? Delicious layers of gooey security. Or maybe I'm just thinking of a honeypot. – Wayne Werner Feb 01 '17 at 15:48
  • You should probably also use a firewall like ufw to block all inbound ports except ssh (and any other service you need to allow and know is secure). – Ian D. Scott Feb 01 '17 at 18:21

6 Answers6

64

You seem to have a pretty clear understanding of the risks. As others have stated it highly encouraged to use a strong password, so if you are running a sensitive service, then by all means, please use strong passwords only.

When using a weak password, there are a couple risks that come to mind which you did not mention:

  1. There may be other services besides SSH (e.g. FTP or others) that are still accepting password-based authentication. It's quite possible that one of those services will be accidentally enabled some time in the future, or a sysadmin may temporarily enable password-based authentication on the SSH.

  2. There is an important point you did not mention in regards to malicious applications. In the event of an intrusion to a non-root account, it is extremely important to prevent upgrade to root access. If the root password is weak then you may very well have an open vulnerability there via brute force. Also, supposing there is some other account that has sudo permission, these need strong passwords also.

Do not dismiss the importance of preventing malicious applications from being able to gain root access; and beware of the risk of changes in your configuration. Also there is a strong possibility that you and I do not know the same attack vectors that your adversary does.

You may be able to increase the length of the password to compensate for decreased complexity, thereby making it easier to type. As a touch typist, I have a hard time relating to your problem though.

kasperd
  • 5,442
  • 1
  • 19
  • 38
700 Software
  • 13,897
  • 3
  • 53
  • 82
  • 13
    Great answer, but it might be nice to go into more detail about *why* it's so important to prevent escalation to root. The big reason that comes to mind is forensics: if attacker only gets user, you have log integrity and can determine what happened, how to prevent it from happening again, and possibly even recover data safely. Most importantly you have a way to know you were compromised. If the attacker gets root, that all goes out the window. – R.. GitHub STOP HELPING ICE Jan 29 '17 at 20:49
  • 5
    Thanks for the comment. Ideally we'd have a separate question (with thorough answers) to explain why protecting `root` is important. Then I could link to it. :-) – 700 Software Jan 29 '17 at 21:45
  • brute forcing password on a live system can be subject to throttling, right? – Display Name Jan 30 '17 at 06:11
  • @GeorgeBailey How about [Why should the \*nix system administrator account (root) have a strong password if remote root logins are disabled?](https://security.stackexchange.com/q/149833/2138) – user Jan 30 '17 at 10:41
  • @SargeBorsch, Hopefully it is by default on most systems. – 700 Software Jan 30 '17 at 14:11
  • @SargeBorsch was thinking they could grab the hash from /etc/shadow and then there's no way to throttle, but of course this requires root access already – Cruncher Jan 30 '17 at 15:13
  • 1
    @R It's the difference between one user getting compromised, and *every user on the system.* But, even on a system with one user, and no network services, protecting root makes recovery easier: if root access was successfully protected from an attack, the user's *data* must be restored from backup, but the OS itself will be intact – jpaugh Jan 30 '17 at 21:56
  • @jpaugh and how do you know that the attacker did not get root without a forensic analysis that obviously takes a lot more time and expertise than reinstalling the OS? – suriv Jan 31 '17 at 14:11
  • @suriv, While you never know 100% for sure, sometimes the evidence of the attack indicates a limited scope. – 700 Software Jan 31 '17 at 14:40
  • @GeorgeBailey sure, but you cannot make a decision without first collecting and analyzing that evidence. That is not something that an average user can do, and I suspect even an experienced forensic analyst would find it easier (not to mention much safer) to just nuke it from orbit. – suriv Jan 31 '17 at 14:57
  • @suriv, It depends. Although nuking from orbit is always the safest option. – 700 Software Jan 31 '17 at 15:34
13

You do not need a strong password.

The advise about password, like so many others, is a safe default that we security professionals give because it is usually a good advise, many people (and companies) don't understand risk very good, and in case of doubt, err on the side of caution.

If you not only understand, but already mitigated the risks, you are good. I myself use a three-character password on my home machine, for the same reason: The main threat to defend against is that a cat walks over the keyboard, unlocks the machine and somehow steps on the "delete everything" key combination.

There are many other scenarios in which you do want a strong password. In fact, in the majority of cases you do. That is why having a strong password is usually a good advise. But anyone telling you that you always, no matter the threat model, must have a strong password doesn't understand security.

Tom
  • 10,201
  • 19
  • 51
  • I agree, the question was not clear in what the scenario was. Some of this can de deduced from the examples offered but still remains open in scope. A password is intended to protect from possible threats. If the threats are weak a password can be weaker. However many people erroneously think that if the threats are rare or unlikely the password may be weak, this is just wishful thinking if you are hoping for security. As Tom writes use a strong password if you are not _sure_ the attack will be weak (cat walk). – KalleMP Jan 30 '17 at 09:28
  • 13
    That password wouldn't happen to be `Tom`, would it? If it is, I strongly suggest changing it to `moT` for increased security against the cat walking backwards over the keyboard. – user Jan 30 '17 at 10:31
  • 11
    To protect the system from the cat, and keep it to 3 letters, change it to `Dog`. No self-respecting cat would ever type that, even accidentally. Seriously, the risk level, and the damage potential, control the type of password I use. Home computer has no user pass, 3-char root pass. Most online accounts only 8-char. Business stuff at 15 and financial at 23. (Odd numbers intentionally since everyone thinks in 2's and powers of 2.) If, somehow, someone compromises my PC the worst that can happen is I have to reinstall everything, not so banal if they get into my bank account! –  Jan 30 '17 at 12:23
  • 3
    Although I think George Bailey's answer is better, I greatly appreciate the anti-dogma. After all this is InfoSec SE, not an article in the WSJ. +1 – Jared Smith Jan 30 '17 at 17:00
7

On the one hand, the fact is that you don't know. A strong password is defense in depth. Say that you (or someone else) installs an additional service that also uses Unix authentication; for example FTP, forgetting that there's not a secure password policy and forgetting to disable local users that are not needed. Now you have a vulnerability.

On the other hand, it's easier to state "you need a strong password" than to state all the conditions where a strong password is not needed. When you know what are you doing, and do it correctly, possibly you can set things up so that you don't even need a login password anymore. At that point you also have the means of taking "You need a strong password" for what it's worth.

LSerni
  • 22,670
  • 4
  • 51
  • 60
6

I think the question should be "Why NOT use a strong password".

In my opinion, a strong password is the foundation of any secure system. You mentioned some safeguards, but you forgot some other attack vectors: for example, if your server is a web server and you get compromised by a code-execution attack, the attacker would have access just to the www-data user, but if you have weak root passwords, the attacker can easily escalate privileges. Or for example, if the FTP software you use has a vulnerability and someone exploits it, they will be able to get root easily.

Attacks are not only from "malicious software": a simple unpatched Apache can compromise your system.

Keep in mind that you can have strong passwords that are easy to remember. Think about your preferred phrase, modify with few numbers and special characters and that's already more than enough. Example: take the phrase "i love cinnamon rolls from tesco stores" and you can get a strong password: "1lovecinnamon!!!rolls!!!fromtescostores!!"

psmears
  • 900
  • 7
  • 9
Ricardo Reimao
  • 712
  • 4
  • 9
  • 5
    Mandatory quote: https://xkcd.com/936/ :-) – LSerni Jan 29 '17 at 19:23
  • @Tom - having at least some non-dictionary content is a good idea though, as many cracking attempts would try dictionary words and leet-speek over random words. – James Snell Jan 30 '17 at 11:43
  • It's irrelevant - the thing that's important is password entropy. The number of characters you use to get there isn't particularly significant unless you've a limit. – Sobrique Jan 30 '17 at 13:03
  • @Sobrique of course length gives you an upper bound for entropy so it's somewhat relevant. But it certainly doesn't give a lower bound, so length is not enough. That is, length is necessary and non-sufficient for a secure password – Cruncher Jan 30 '17 at 15:18
  • @James - you can use a dictionary as long as you have enough words. 20,000 is the active vocabulary of a typical (not especially educated) native speaker. Even just 5 words from that selection gives you a brute-force complexity of 10^21 - much, much better than even the most optimistic complexity of an 8-character-special-characters-blablabla password. – Tom Jan 30 '17 at 20:04
  • "Why NOT use a strong password" --- Because then I'll forget it. – Daniel Jan 31 '17 at 19:06
1

Typical deployments of password/secret managers like gnome-keyring or some home-area or file encryption schemes use your login password for encryption.

In those scenarios, a weak password makes it easier for someone to recover your secret data if they can get access to a copy of the hard drive content (like from a backup or a laptop left unattended).

1

An attacker may be able to gain access to a limited account on your machine, rather than your user account. For example, you may have system services than run either as user "nobody" or some service-specific account like "httpd" or similar. There are often ways in which an attacker can gain access to such an account but not a full user account (for example some services may execute files using such a restricted user, and an attacker may have found a way of pushing files into a place where they will be executed without needing to log in fully). This would allow an attacker to run commands, such as su, but not access any protected files, leaving your password as your last line of defence.

Jules
  • 121
  • 3
  • cannot su and sudo distinguish password typed from local physical keyboard? it is possible to put command line arguments into shell_exec in php, but password is typed after the "sudo ..." runs, can the password also be provided somehow from inside php? – qdinar May 29 '21 at 08:15