For a typical home PC the security situation is following:
- No servers running, not even the SSH. Firewall is
ufw
running in simple mode: all outgoing allowed, all incoming denied. Torrents and DC++ may be. May often be behind a router without port forwarding. - All sensitive or valuable information already available for read and write for the user and resides in his
/home
- Physical presence of attacker is impossible. (by impossible I mean that if attacker is present near PC, the PC is a least concern in situation).
- Being a specific target of skilled attacker is astronomically improbable.
- DE with autologin enabled.
Question: In the situation described, what vectors of attack there are, in which the strength of user password is relevant? Can, for example, a malicious web site has a chance to attempt bruteforcing? If, for example, user runs a malicious script, would it not be much easier for it to put itself in autorun and wait for user to use sudo
than do bruteforcing? Why would it need root at all – all fun things are already available?
I want to make a weighted decision about the password length. I am actively converting people to Linux and typing passwords scares them. Typing secure password a lot annoys me too. It is just stupid to have a password when nobody will ever try to force it or steal hash.
Best Answer
Attack vectors:
"Easy-to-guess-passwords":
Definitely avoid Your country's top 100 passwords
I told my mother to use the name of the street she lived in as a child (not really but something as easy for her to remember) and then add 4 exclamation marks... She actually likes typing her password. :-)
To know how security-conscious people are, ask them the following two questions:
A. Do you close your front door with a key?
B. Do you close your curtains?
If the answer to both questions is "No", then don't give them any password, but if one of the questions is answered by "yes", help them protect themselves by giving them a long password! (Remember: in cracking, length is important, not complexity!)