LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-11-2006, 12:33 PM   #1
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
How long should the root password be?


I'm wondering how long the root password should be?

I'm running a desktop computer which is connected to the internet almost all the time. Which password length would you recommend? What would you recommend for a high-value server?

Currently, I'm using an random alphanumeric password (a-z, 0-9) with 8 characters, which yields a password strength of about 40 bits. Do you think that is enough?

Regards,

Lotharster
 
Old 06-11-2006, 12:58 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
8 character alphanumeric is really the bare minimum IMHO. Including some type of punctuation or special character significantly helps to increase the complexity of a bruteforce as well. It's also very important to have your passwords be reasonably random and not be simple variations of dictionary words, things like 'password1' or 'abcd1234' would be exceptionally poor.

If you are going to allow any kind of remote access (like ssh) I'd also highly recommend that you configure the authentication on the system so that you cannot directly login as root, but instead are required to login as a normal user and su to root.
 
Old 06-11-2006, 01:36 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
The passwords I use now for all accounts (not just root) are typically 10-12 characters long. I could not even write down my passwords for you. I create them more with "motions" and "rhythms" on the keyboard. More like playing the piano than typing words. I do have a phrase in my head that helps me remember how to get started typing, but that phrase does not directly come out in the password. I rhythmatically hit the SHIFT key during typing to get an upper/lowercase mix, and I rhythmatically "reach higher" on the keyboard (by this I mean my memorized phrase might make me think of a "t", but I reach higher and get a "6" or "^" on the upper key row instead). You can get some really good random passwords this way.

But I did run into a downside once. I cut my finger and had a bandaid on it. This screwed up my "finger memory" and made it a little tough to get the password entered!
 
Old 06-11-2006, 02:02 PM   #4
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Original Poster
Rep: Reputation: 18
Thanks for your replies, no I have one more question:

What kinds of attacks against my root-password should I guard against?
I've disabled ssh-root login as well as password authentication, so how could a "bad guy" try to hack into my root-account?

Regards,

Lothar
 
Old 06-11-2006, 02:04 PM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
A few more things to consider for a desktop, assuming it is only you or a very limited set of people needing access:

---

Open up one and only one port on your system ... port 22 ... ssh. Firewall out everything else, and configure required services to listen only on the localhost adapter if possible. If you want to access any of these other services you will need to use an ssh tunnel.

Research what they do, and consider using the following options in sshd_config (NOTE: I only allow pubkey authentication, so NO password guessing!)
Code:
ListenAddress 0.0.0.0
IgnoreRhosts yes
PermitRootLogin no
AllowUsers <userid1> <userid2>
Protocol 2
LogLevel VERBOSE
UsePrivilegeSeparation yes
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
UseLogin no
UsePAM no
Consider using an "adaptive firewall". I believe this term was originally coined by Bob Toxen in his book on Linux security, but I may be wrong in crediting him the origins. Basically you spawn a script from hosts.allow that can quickly create tcpwrapper rules or iptables rules to lock out crackers. Bob's implementation of this is named "Cracker Trap". I wrote my own, to meet my personal needs, after recently attending a class taught by Bob.
 
Old 06-11-2006, 02:39 PM   #6
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Quote:
Originally Posted by Lotharster
What kinds of attacks against my root-password should I guard against?
Attacks attempt to gain a root shell your system. Guessing a root password is one way, but there are other ways to gain access without needing to know the password.

Quote:
I've disabled ssh-root login as well as password authentication, so how could a "bad guy" try to hack into my root-account?
Unfortunately, there are many more ways to crack into a system than I could tell you (I know of a few, but certainly not all). What you've done so far is a great initial step. Make sure you also turn off all unneeded services! Put strong passwords on every account. For accounts that never need direct shell access, turn it off in /etc/password. Here's an example of how this is done for sshd on my system (the shell is specified as "/bin/false"):
Code:
sshd:x:101:65534::/var/run/sshd:/bin/false
After you've done the above, you're in better shape than many people. Now start reading some books and go after closing the more subtle holes.

A good book, that will probably scare the pants off you, is "Hacking Exposed" (5th edition - I think is the current one). There are other books in the "Hacking ... Exposed" series but I have not read them yet. Another good book is the one I mentioned earlier by Bob Toxen - "Real World Linux Security" (2nd edition).
 
Old 06-11-2006, 11:08 PM   #7
javaroast
Member
 
Registered: Apr 2005
Posts: 131

Rep: Reputation: 19
Wow, you guys are all into some major overkill. I just use the password "password" on all my accounts. That really helps me to never forget my password.
 
Old 06-12-2006, 03:29 AM   #8
jayakrishnan
Member
 
Registered: Feb 2002
Location: India
Distribution: Slacky 12.1, XP
Posts: 992

Rep: Reputation: 30
more than the length , its the complexity of the password which matters a lot , "22usc336" is better than "abracadabra"
 
Old 06-14-2006, 09:48 AM   #9
phsythax
Member
 
Registered: Oct 2005
Location: Denmark
Distribution: Gentoo & XP pro for gaming
Posts: 152

Rep: Reputation: 30
Quote:
Originally Posted by jayakrishnan
more than the length , its the complexity of the password which matters a lot , "22usc336" is better than "abracadabra"
dont forget Special Characters: /()&¤"!@{[]?`´''*"';:

always have the 3 types:
text (lower AND higher case)
numbers
special characters
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 11:28 PM
How to retrieve( or reset) root password in Mandrake Linux, as I forgot my password? Reghunath Linux - Software 4 05-08-2008 05:11 AM
ssh, long wait before able to enter password amphion Linux - Newbie 2 04-26-2006 05:16 AM
Logged in as root, prompted for root password ta0kira Slackware 13 04-25-2005 02:29 AM
ssh password prompt delay long while chaze Linux - Networking 1 04-14-2005 11:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration