Ubuntu – What are the reasons to have strong password at home

passwordSecurity

For a typical home PC the security situation is following:

  • No servers running, not even the SSH. Firewall is ufw running in simple mode: all outgoing allowed, all incoming denied. Torrents and DC++ may be. May often be behind a router without port forwarding.
  • All sensitive or valuable information already available for read and write for the user and resides in his /home
  • Physical presence of attacker is impossible. (by impossible I mean that if attacker is present near PC, the PC is a least concern in situation).
  • Being a specific target of skilled attacker is astronomically improbable.
  • DE with autologin enabled.

Question: In the situation described, what vectors of attack there are, in which the strength of user password is relevant? Can, for example, a malicious web site has a chance to attempt bruteforcing? If, for example, user runs a malicious script, would it not be much easier for it to put itself in autorun and wait for user to use sudo than do bruteforcing? Why would it need root at all – all fun things are already available?

I want to make a weighted decision about the password length. I am actively converting people to Linux and typing passwords scares them. Typing secure password a lot annoys me too. It is just stupid to have a password when nobody will ever try to force it or steal hash.

Best Answer

Attack vectors:

  1. Behind a NAT router (most are nowadays) fat chance of anyone getting in. And ufw running as well: even less chance... Without a NAT router: it's just software, not hardware. Software can be hacked especially if automatic updates are off.
  2. Physical access: Indeed, you're right. the password is the least of your concerns while the attacker is there. However if he steals the computer, it is nice to know that none of your data can be seen by the thief. (encrypted home directory minimum, or better: full truecrypt). These people don't have technical skills and an encrypted computer is worth less on the black market.
  3. LAN: Well, if you're not going to enter any password on the PC why protect the WiFi then? Open it all up! >:) Put the router in the corridor so people can plug in their LAN cables while you're at it! ;) :D
  4. "Easy-to-guess-passwords":

    Definitely avoid Your country's top 100 passwords

    I told my mother to use the name of the street she lived in as a child (not really but something as easy for her to remember) and then add 4 exclamation marks... She actually likes typing her password. :-)

  5. To know how security-conscious people are, ask them the following two questions:

    A. Do you close your front door with a key?

    B. Do you close your curtains?

    If the answer to both questions is "No", then don't give them any password, but if one of the questions is answered by "yes", help them protect themselves by giving them a long password! (Remember: in cracking, length is important, not complexity!)