set up a root password

Nigel Henry cave.dnb2m97pp at aliceadsl.fr
Tue Aug 5 21:17:11 UTC 2008 

On Tuesday 05 August 2008 21:30, Derek Broughton wrote:
> Nigel Henry wrote:
> > and find myself entering my usual root password,
>
> tsk, tsk... :-)

Yes, I know, I know. Probably my situation is a bit different to most users in 
that I have more than 20 distros installed on my 3 machines. Not having a 
photographic memory, and not wanting to set up different root passwords for 
all of them, and having to consult a notebook for the password every time I 
boot up a distro, and want to get root access, I find myself with one root 
password. Yes I should change it from time to time just in case.

Being on dialup, with dynamic IP addresses, and not running any Internet 
accessable servers, I'm sort of kidding myself that all is ok, but perhaps 
could be more security concious.


>
> > Personally I believe that having a separate root password (which I would
> > expect to be more complex, than a plain old user one) is a good idea,
>
> Not if you're using a "...usual root password".

In my case yes, as I use the same root password for all distros. Not a good 
idea to be sure, 
>
> > as
> > on most of my distros, and does give an extra step that a potential
> > hacker has to go through to get into your machine, but I suppose if they
> > are determined to get in, they will find a way.
>
> It doesn't give an extra step.  They already _know_ the user name, they
> only have to guess your password.  Why would it be more complex than a
> "plain old user one"?  Passwords are as complex as the user makes them, and
> if the user is the sole administrator, the user password is likely to be
> exactly as complex as the root password.

I'm comparing many other distros here that have a separate root password. The 
hacker may know your user name, and perhaps the password is a simple one. 
With Ubuntu/Kubuntu the hacker can now try sudo with the user password that 
he has discovered, and is into the inner works of the machine.

With other distros, the potential hacker may well find your user password, but 
then has to find the root password to gain access to the machine, unless he 
just wants to mess with your user space. I would always suggest creating a 
non dictionary based password to gain access to root, but can't see your 
usual Ubuntu/Kubuntu user creating some complex non dictionary based password 
to login to Gnome/Kde, thus making it more difficult for a potential hacker 
to gain access.

This is not any crititism of Ubuntu/Kubuntu. I 'm happy to work with it as is, 
and as regards my root passwords for my other distros, I must get around to 
changing them from time to time.

These are serious, but at the same time lighthearted comments. No flame 
intended, just observations.

Nigel.
> --
> derek

More information about the kubuntu-users mailing list