Ubuntu: What are the reasons to have strong password at home?



Question:

For a typical home PC the security situation is following:

  • No servers running, not even the SSH. Firewall is ufw running in simple mode: all outgoing allowed, all incoming denied. Torrents and DC++ may be. May often be behind a router without port forwarding.
  • All sensitive or valuable information already available for read and write for the user and resides in his /home
  • Physical presence of attacker is impossible. (by impossible I mean that if attacker is present near PC, the PC is a least concern in situation).
  • Being a specific target of skilled attacker is astronomically improbable.
  • DE with autologin enabled.

Question: In the situation described, what vectors of attack there are, in which the strength of user password is relevant? Can, for example, a malicious web site has a chance to attempt bruteforcing? If, for example, user runs a malicious script, would it not be much easier for it to put itself in autorun and wait for user to use sudo than do bruteforcing? Why would it need root at all - all fun things are already available?

I want to make a weighted decision about the password length. I am actively converting people to Linux and typing passwords scares them. Typing secure password a lot annoys me too. It is just stupid to have a password when nobody will ever try to force it or steal hash.


Solution:1

Attack vectors:

  1. Behind a NAT router (most are nowadays) fat chance of anyone getting in. And ufw running as well: even less chance... Without a NAT router: it's just software, not hardware. Software can be hacked especially if automatic updates are off.
  2. Physical access: Indeed, you're right. the password is the least of your concerns while the attacker is there. However if he steals the computer, it is nice to know that none of your data can be seen by the thief. (encrypted home directory minimum, or better: full truecrypt). These people don't have technical skills and an encrypted computer is worth less on the black market.
  3. LAN: Well, if you're not going to enter any password on the PC why protect the WiFi then? Open it all up! >:) Put the router in the corridor so people can plug in their LAN cables while you're at it! ;) :D
  4. "Easy-to-guess-passwords":

    Definitely avoid Your country's top 100 passwords

    I told my mother to use the name of the street she lived in as a child (not really but something as easy for her to remember) and then add 4 exclamation marks... She actually likes typing her password. :-)

  5. To know how security-conscious people are, ask them the following two questions:

    A. Do you close your front door with a key?

    B. Do you close your curtains?

    If the answer to both questions is "No", then don't give them any password, but if one of the questions is answered by "yes", help them protect themselves by giving them a long password! (Remember: in cracking, length is important, not complexity!)


Solution:2

Not a lot. A threat might be a malicious website that installs software on your system that includes something that probes for your sudo password and sends it out to the world. But modern browser will prompt you if something tries to install software. And the average Linux user tends to be more informed than the average Windows users. Plus there is also the idea that we should know where to go and where not to go. In general Linux users do not download from random websites. We use the repositories and can assume these are safe.

Addition: if you want to convert users to Linux there is one thing you should teach these users. Force them to use the Ubuntu software center and warn them not to search for installation files on the web. The biggest reason for virusses on windows is the fact of visiting nasty websites and downloading malicious installation files. Using Ubuntu software center will reduce that risk a lot.

Just an idea: the one big threat we have is when someone manages to install corrupted software into the Ubuntu repositories. If someone gets something malicous accepted into the repositories like an altered chrome or firefox we are all screwed. Is that likely to happen? Naaa.

Even running local services would not matter. A local webserver with no outside connection enabled (ie. running on localhost) will be safe. Only if you run it not local you will be taking a risk: the scripts created to run your website might be flawed. But I would not call that a home computer anymore.

Your 1st and best safeguard on a home system is your router.

And if you are scared it is always the better option to make regular backups where you detach that harddisk from your system when not making backups.

If an attacker has physical access you are in trouble on a normal system. 1 reboot into a live dvd and your sudo password can be changed. Encrypting the disk would be an option. But that will not prevent a formatting.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »