5

Consider a computer with only 1 user, but 3 passwords:

  • 1 for Full Disk Encryption (FDE)
  • 1 for a user account without administrative rights, which would be the account the user uses everyday
  • 1 for an administrator user account, which would only be used when programs require elevated privileges

I was thinking about a Windows computer with Bitlocker, but the question could also apply to other FDE solutions (e.g. TrueCrypt/VeraCrypt), or even other operating systems (Linux, macOS, ...).

Of course, using 3 different passwords would be ideal in terms of security.

However, using a password manager isn't really possible for these passwords.

So, what are the security implications of using the same password for these 3 use cases?

I can think of the following risk: the FDE password is normally pretty safe against software keyloggers (I think), however the user account password and the admin account password aren't.

Are there other risks?


Alternatively, if using 2 different passwords, which one should be different from the other 2?

I'd say the one used for FDE should be different. It seems acceptable to have the same password for the user account and the admin account (provided there's only 1 user), in the same way sudo asks for the user's password (and not a root password) on Linux systems.

Sébastien
  • 313
  • 2
  • 10
  • Something that hasn’t bee brought up yet is convenience. You will probably type `sudo` (if using something like Linux) more times than you will type in your disk encryption password. So you might want, say, an easy to type _password_ (many different character groups, random) for your admin escalation and a long-and-memorable _passphrase_ for disk encryption. – Guildenstern Jan 11 '20 at 19:32

4 Answers4

4

Those three passwords protect you from different threats. Which ones are most important will depend on your threat model.

  • The non-admin password protects your personal files from other non-admin users
  • The admin password protects your system from being modified by other non-admin users
  • The FDE passwords protects your system from attackers with physical access

As what the attacker may obtain from each one:

  • If the attacker obtains the non-admin password, s/he may try to use it to access admin accounts too. Therefore controlling the entire system.

  • If the attacker obtains the admin password, s/he controls the entire system (Including non-admin accounts).

  • If an attacker obtains physical access to your computer and has the FDE password it doesn't matter the remaining passwords as s/he can change them.

IMHO, admin password and non-admin password should always be different. The risk of an attacker escalating privileges with the same password is too high. But maybe in your threat model it's not a major risk as you have only one account

About FDE, it's not a must have for every user. If physical access to your computer is part of your threat model (Like robbery, law enforcement or 3 letter agencies) then you should use a completely different password for this too. In case this is not part of your threat model it doesn't matter which password you use

About your assumption that FDE password are harder to obtain from software keyloggers, while this is true, an attacker that has been able to deploy a keylogger in your system may be equally capable of obtaining the encryption key from memory

Mr. E
  • 1,954
  • 9
  • 18
1

Ideally, you should have 3 different and strong passwords for the 3 different actions, and change all of them on regular basis. The only problem is that you are probably a human being and finding and remembering different strong passwords is not that easy, and those passwords cannot be easily extracted from a password manager.

So I would try to do a usage and risk analysis. I really like the xkcd comics on authorization. That explains why some Linux systems come with no admin password but just use sudo, asking the user its own password again to do administrative tasks. The same rationale is behind UAC on Windows system: a non priviledged task should not be allowed to silently escalade to admin rights, and requires a user validation; but what authenticates the user is just its own password(*).

You really should use different passwords for accounts exposed to different threats, or if you want to be able to change one without modifying the others. This typically applies to remote site passwords where if one site was compromised, you want to avoid the problem to extend to other sites. But here the 3 passwords actually protect the same thing: you own computer.

So my advice is to chose a good password and use it consistenly for the 3 things. Only the admin password could be different, because it can be stored in a password vault in case you forget it. Things would be different in some of those password were shared with another user (thinking of FDE here), because then the FDE should be different from the users'password.


(*) Many attacks allow to execute unwanted code on behalf of the user but do not steal her password

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • A surprising number of security experts recommend never changing passwords: https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security – David Cary Mar 17 '21 at 18:32
0

By using the same password across your Full Disk Encryption, regular user account, and admin user account your fall into the:

"Your only as strong as your weakest link" type of situation.

Consider that you'll be using your regular user account more often than your admin account and it will be more prone to the initial compromise.

If that regular user account/password is compromised in any way, you've instantly granted the attacker access to decrypt the FDE and access admin privileges. That being said, once an attacker has local admin privileges... it's no longer your device.

I can't recommend only changing 1/3 of these passwords. Make them all different and strong if you are looking to make your device less penetrable.

SecretSasquatch
  • 619
  • 3
  • 9
-1

By using the same password for your non-admin and admin accounts, you have essentially defeated the purpose of having the non-admin account. It is now trivial to escalate from a compromise of the non-admin account to the admin account. If you are going to use the same password for both, consider not having a non-admin account at all. At least that way you will be aware of the risks you are taking.

Of course, it is less trivial to get admin privileges when the accounts are separate, even if the passwords are the same. There is some value there because an attacker would have to discover the passwords are the same. This is essentially Security through Obscurity, which is bad practice.

The FDE password protects you against someone stealing your device or hard drive. An attacker who has hacked your unprivileged user, most of the time, won't be the same attacker who is stealing your physical device. This is however untrue of law enforcement or government actors. Depending on your threat model, reusing passwords for FDE and user accounts becomes more or less severe. However, it is almost always a bad practice.

returneax
  • 572
  • 2
  • 8
  • -1 for "consider not having a non-admin account at all." Linux machines are usually set up with sudo, where you use your own account password to securely elevate to admin account. It's not necessarily insecure when implemented properly. – Lie Ryan Aug 02 '17 at 01:43
  • A `sudo` user IS an administrator user. `root` is equivalent to `system` in Windows land. The equivalent example would be using `nobody`'s password as a `sudo` group member's password. I'd appreciate if you remove the -1. – returneax Aug 02 '17 at 18:32