Security of using sudo rather than su?

Adam Funk a24061 at
Fri Sep 15 13:22:35 UTC 2006

On 2006-09-14, Tony Arnold <tony.arnold at> wrote:

> But then there is the human element, as always! The stricter the policy,
> the more likely it is that users will forget their passwords thus
> potentially creating more calls to the support desks, or will write them
> on a Post-It (tm) note and stick it on their monitor. So one has to have
> the right balance to manage these issues.

I heard part of a funny skit on the radio (BBC Radio 4, I think) a few
years ago, in which the IT technician assured someone that 

  "I've upgraded everything on your computer and added military-grade
  encryption, so it will be *totally* secure for the next 15 minutes."

  "Why 15 minutes?"

  "That's when you'll write the password on a Post-It note and stick it
  under your desk."  [Post-It is of course a trademark of 3M. -Ed.]

> The idea of changing passwords on a regular basis was apparently based
> on how long it would take to crack a password using brute force
> techniques. Unfortunately, it appears that some of the recommendations
> are based on crack time of twenty years ago, when the time needed was
> several months. With modern technology, the times are down to under an
> hour, so to beat that, we would have to change our passwords every 30
> minutes or so!

I'm sure I've read that frequent password rotation has a much worse
effect (on what users do) than requiring strong passwords, but I can't
find it now.  (I thought it was on The Register.)

More information about the ubuntu-users mailing list