security questions...

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
avinator
Level 1
Level 1
Posts: 23
Joined: Fri Oct 27, 2017 10:58 pm

security questions...

Post by avinator » Fri May 18, 2018 12:00 am

Should I set a root password ? If someone has access to my machine, how easy is it to break in on a 25 + char / nbrs / symbols password ?
Can they reset my password using root if root dosen't have a password ? is my home folder "safe" ?

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.

Is mint as secure ?

User avatar
shawnhcorey
Level 3
Level 3
Posts: 191
Joined: Thu Jun 17, 2010 11:23 am
Location: The Great White North
Contact:

Re: security questions...

Post by shawnhcorey » Fri May 18, 2018 6:27 am

Do not set the root password. You can do everything you need using sudo. Open the Control Center and choose Users and Groups from the Administration section. Check on the Advanced Settings button and enter your password at the prompt. In the next window, click on the User Privileges tab and check every box. You now have full privileges to do everything.

BTW, when you entered your password for the Advanced Settings, you use sudo.
Don't stop where the ink does.

User avatar
karlchen
Level 19
Level 19
Posts: 9416
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: security questions...

Post by karlchen » Fri May 18, 2018 6:54 am

Hello, avinator.

Your password will be almost unbreakable. (Might take months or years to break it using brute force.)
BUT:
If someone has got physical access to your machine and if it is possible to power on your machine without having to enter a Bios password, then it will be possible, too, to boot the machine using a Linux live system e.g.
Once such a Linux live system has been booted, it will be possible to mount the filesystems on your harddisk and have full access to everything on the harddisk.

If someone has got physical access to your machine, but powering up the machine can only be done by also entering a Bios password, in this case booting the machine using a live system will not be feasible without knowing the Bios password.
Yet, it will be easy to remove the harddisk from the computer. The thief can attach the harddisk to another machine and will have got full access to its content.

The only way of preventing access to your data efficiently, is encryption: you have to encrypt your home directory and its content or you have to use full disk encryption.
In this case having physical access to your machine and to your harddisk will not help, unless the password is also known, which is needed to unencrypt.

Best regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

User avatar
Pepi
Level 5
Level 5
Posts: 716
Joined: Wed Nov 18, 2009 7:47 pm

Re: security questions...

Post by Pepi » Fri May 18, 2018 8:44 am

Set the root password by Pjotr wrote:Set the root password
1.3. In Linux Mint 18.3, the root password is unfortunately no longer set by default.

This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.

He can then do all kinds of nasty things. Like changing your own password....

This is how to fix it, by setting a password for root (preferably identical to your own password):

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following line into the terminal:

sudo passwd

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.

Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.

That's it! Problem solved.

For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.

What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat.
Last edited by karlchen on Fri May 18, 2018 9:13 am, edited 2 times in total.
Reason: Marked the complete text as a quote of Pjotr's advice, given here: https://sites.google.com/site/easylinuxtipsproject/security#TOC-Set-the-root-password

User avatar
karlchen
Level 19
Level 19
Posts: 9416
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: security questions...

Post by karlchen » Fri May 18, 2018 9:07 am

Hi, Pepi.

Thanks for quoting Pjotr's article on how to re-enable and protect the root account by assigning a password to it. :)

Once this has been achieved, a person who has got physical access to the machine, will have the following ways of accessing the system nonetheless ... Cf. post above. :(

Best regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

User avatar
Faust
Level 4
Level 4
Posts: 431
Joined: Thu Jul 14, 2016 3:40 am

Re: security questions...

Post by Faust » Fri May 18, 2018 9:20 am

There is no " one-click-fix" to this problem .

People need to choose their defenses according to their perceived adversary .....
.... industrial espionage ( at conferences ? ) , LEA , family member , neighbor , fellow students in a dorm ?

An unattended device is very vulnerable , as mentioned in previous posts here , even if it is powered-off .
USB based attacks may still work ..... " Evil Maid " , Rubber-Ducky etc .

For those interested in further protection , at the " outer limits " of this semi paranoid stuff , check out " Haven "

https://theintercept.com/2017/12/22/sno ... ur-laptop/
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

altair4
Level 19
Level 19
Posts: 9276
Joined: Tue Feb 03, 2009 10:27 am

Re: security questions...

Post by altair4 » Fri May 18, 2018 9:21 am

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.
OSX is a sudo based operating system just like Mint.

In order to edit a system file in macOS using say .. nano you have to preface the command with sudo as in:

Code: Select all

sudo nano /etc/hosts
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.

User avatar
lsemmens
Level 6
Level 6
Posts: 1137
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: security questions...

Post by lsemmens » Fri May 18, 2018 10:35 am

If you want perfect security. Don't print anything, don't save anything, don't use a computer, or pencil and paper. Remember everything and then kill yourself, because you might talk, if tortured,

For the rest of us. Common sense prevails. What is so sensitive that you must protect it? That will determine the level of security that you apply, How, where. who has access, are the questions that need to be addressed by all of us. FYI my computers at home have no "security" per se, other than they all run LINUX. I even have some passwords stored somewhere accessible. The ONLY passwords that I do not have recorded anywhere are my Banking details. In 40 years, I have only seen ONE virus in the wild and NONE on my machines. For that fact I was a M$ user for most of those years having only recently migrating to Linux.
Kernel: 4.15.0-36-generic x86_64 bits: 64
Desktop: Cinnamon 3.8.9
Distro: Linux Mint 19 Tara

Laptop T4500 Dualcore 4Gb RAM
Server AMD Phenom 9650 - GEForce 9400GT 6Gb RAM
+ three other Linux Mint machines
Out of my mind - please leave a message

User avatar
smurphos
Level 8
Level 8
Posts: 2012
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: security questions...

Post by smurphos » Fri May 18, 2018 11:29 am

So in summary.

Someone with physical access to your machine could

1) Dismantle the machine and swipe the hard drive and mount on another machine - mitigation - encryption.
2) Boot the machine from the installed OS and use the recovery GRUB option to try and gain root access - mitigation - BIOS password or set a root password.
3) Try and boot a live session from USB and mount your drives - mitigation - BIOS password or encryption.

Out of the box Linux is pretty secure against remote exploits in any case but should the user enable services (e.g. openSSH) that could provide a route in having a root password in this context brings the possibility of a successful brute force attack on the root user. My understanding is that not having a root password set in this context is safer as this effectively locks the root account entirely to remote access. The hacker could still attempt to brute force both a valid username and user password, but that is going to be much harder all else being equal.

Best solution - BIOS password and home-drive encryption with no root password. Suitably kooky username and decent user password. Be mindful of what you are doing if enabling server type services such as openSSH. Make use of UFW. Harden / sandbox your browsers.

Readers should be aware that if you originally installed 18.1 or below you have a root password set - unless you've specifically changed the root password since install it will be the same as you set your original user password when you first installed.

If the system was a fresh install of 18.2 or later you have no root password set.

KBD47
Level 7
Level 7
Posts: 1628
Joined: Fri Jul 29, 2011 12:03 am

Re: security questions...

Post by KBD47 » Fri May 18, 2018 12:06 pm

karlchen wrote:
Fri May 18, 2018 6:54 am
Once such a Linux live system has been booted, it will be possible to mount the filesystems on your harddisk and have full access to everything on the harddisk.
To piggyback on this for a moment--if someone can access files on your machine like this, can they get into Internet browser information? That would be my only concern, access to stored user names and passwords in Chrome or Firefox browsers. That could potentially get them banking information and access to paid accounts. If that is the case, everyone should use full disc encryption by default on any machine that they take out in the wild.

User avatar
smurphos
Level 8
Level 8
Posts: 2012
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: security questions...

Post by smurphos » Fri May 18, 2018 12:32 pm

That's a good question - I know that Chrome/Chromium encrypt locally saved passwords via Gnome Keyring (so the user password is needed to decrypt). Firefox also states they are encrypted - I'm not sure if that's reliant on setting a Master Password in Firefox or not.

Re using browser saved passwords in general I'm not sure if this exploit has ever been fixed...basically widespread abuse of saved login credentials and autofill capabilities used by third-parties to collect usernames for tracking purposes. I stopped using browser saved password several years ago and stick to Keepass now. I stopped using all autofill capabilities at roughly the same time.

https://freedom-to-tinker.com/2017/12/2 ... -managers/

KBD47
Level 7
Level 7
Posts: 1628
Joined: Fri Jul 29, 2011 12:03 am

Re: security questions...

Post by KBD47 » Fri May 18, 2018 1:04 pm

smurphos wrote:
Fri May 18, 2018 12:32 pm
That's a good question - I know that Chrome/Chromium encrypt locally saved passwords via Gnome Keyring (so the user password is needed to decrypt). Firefox also states they are encrypted - I'm not sure if that's reliant on setting a Master Password in Firefox or not.

Re using browser saved passwords in general I'm not sure if this exploit has ever been fixed...basically widespread abuse of saved login credentials and autofill capabilities used by third-parties to collect usernames for tracking purposes. I stopped using browser saved password several years ago and stick to Keepass now. I stopped using all autofill capabilities at roughly the same time.

https://freedom-to-tinker.com/2017/12/2 ... -managers/
Thanks for that info!
I wonder if Privacy Badger and, or the tracker blocker in the newer Firefox stops this browser issue? If not, that is a big problem.
Glad to hear these browsers passwords are encrypted, though gnome keyring seems hit or miss with different distros and desktops. I'm using Debian 9 with MATE right now and it has not once asked me for a password launching Chromium, though I know other distros have in the past.

User avatar
karlchen
Level 19
Level 19
Posts: 9416
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: security questions...

Post by karlchen » Sat May 19, 2018 5:51 am

Hello, KBD47.

About encrypted passwords, saved by Firefox inside the Firefox user profile:

Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so. :shock:

The only way to prevent unauthorized people from using Firefox to load your profile and decrypt the passwords for them, is by encrypting all passwords by a master password. I.e. the saved passwords will be encrypted using this master password. Without knowing the master password all other saved passwords in the Firefox profile will be inaccessible. No way of recovering them, in case you lose your master password.

In addition to my explanation, let me point you to the official Mozilla knowledge base: Master Password.
And how to Use a Master Password to protect stored logins and passwords.

Best regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

Hoser Rob
Level 12
Level 12
Posts: 4325
Joined: Sat Dec 15, 2012 8:57 am

Re: security questions...

Post by Hoser Rob » Sat May 19, 2018 7:34 am

karlchen wrote:
Sat May 19, 2018 5:51 am
... Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so. :shock: ...
So will Chrome. Really, if someone else has physical access to a machine it's all over security wise.

Don't set a root password, use STRONG passwords (using quotes isnt enough eg.) on both your computer and router, and remember that using security tools you don't understand may make things worse.

KBD47
Level 7
Level 7
Posts: 1628
Joined: Fri Jul 29, 2011 12:03 am

Re: security questions...

Post by KBD47 » Sat May 19, 2018 10:02 am

karlchen wrote:
Sat May 19, 2018 5:51 am
Hello, KBD47.

About encrypted passwords, saved by Firefox inside the Firefox user profile:

Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so. :shock:

The only way to prevent unauthorized people from using Firefox to load your profile and decrypt the passwords for them, is by encrypting all passwords by a master password. I.e. the saved passwords will be encrypted using this master password. Without knowing the master password all other saved passwords in the Firefox profile will be inaccessible. No way of recovering them, in case you lose your master password.

In addition to my explanation, let me point you to the official Mozilla knowledge base: Master Password.
And how to Use a Master Password to protect stored logins and passwords.

Best regards,
Karl
Storing passwords in clear text is really dumb on the part of Firefox. Firefox requires a password to sync to settings and passwords to start with, they should require that same sync password to be able to see passwords in clear text. Would be a simple solution. Not sure what they are thinking there.
Thanks for that info! Will check out the links.

KBD47
Level 7
Level 7
Posts: 1628
Joined: Fri Jul 29, 2011 12:03 am

Re: security questions...

Post by KBD47 » Sat May 19, 2018 10:04 am

Hoser Rob wrote:
Sat May 19, 2018 7:34 am

So will Chrome. Really, if someone else has physical access to a machine it's all over security wise.

Don't set a root password, use STRONG passwords (using quotes isnt enough eg.) on both your computer and router, and remember that using security tools you don't understand may make things worse.
More and more I'm thinking full disc encryption is the only smart move for any computer that leaves the house.

User avatar
GS3
Level 4
Level 4
Posts: 424
Joined: Fri Jan 06, 2017 7:51 am

Re: security questions...

Post by GS3 » Sat May 19, 2018 12:00 pm

Full Disk Encryption is, obviously, a good thing but it requires HDD and motherboard who support it. Most people would not change hardware just for that. I have a laptop with WIN XP for which I bought a HDD which supports FDE. It is still waiting for me to install it. Maybe I'll get around to it.

For most ordinary users there is no serious need to encrypt the OS and encrypting the user's files would be enough. In my WIN XP laptop I use PGP to encrypt a virtual HDD which holds all my personal files. The PGP keys are stored in a separate USB pendrive or a memory card. So, I need to insert the memory with the keys and then mount the virtual drive which holds all my files. When I am not using the computer the card is with me, not the laptop. If the laptop is stolen there is no risk of the files being accessed. Making a backup of the files is as simple as making a backup copy of the PGP file which holds the virtual disk. Simple, easy.

For websites and any other place which requires credentials I just do not understand the need for the browser or the system to remember my passwords. No way! I want to input the password myself each and every time. Anything else diminishes the security. I am not lazy for this and I do not understand how people can be so lazy about this. It's like leaving the key to your house under the welcome mat. Reminds me of the WPA WIFI routers with WPS. Yeah, great idea to make WPA virtually unbreakable and then, to make it easier, provide a back door which is trivial to break.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-138-generic X64 - Cinnamon 3.4.4 - Nemo

User avatar
chazb
Level 4
Level 4
Posts: 209
Joined: Wed Nov 30, 2016 2:56 am
Location: Oklahoma

Re: security questions...

Post by chazb » Sun May 20, 2018 1:16 am

avinator wrote:
Fri May 18, 2018 12:00 am
Should I set a root password ? If someone has access to my machine, how easy is it to break in on a 25 + char / nbrs / symbols password ?
Can they reset my password using root if root dosen't have a password ? is my home folder "safe" ?

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.

Is mint as secure ?
if you are the only person using your computer, no you don't have to. If there are other people using your computer, then yes you should, simply because they can, if you don't. That said, if you set one, (don't use it).

User avatar
Executioner
Level 3
Level 3
Posts: 102
Joined: Sat Feb 06, 2016 1:49 pm

Re: security questions...

Post by Executioner » Sun May 20, 2018 1:49 am

What about the addon LastPass? I've been using that with a master password of 15 characters.

I also make a backup copy of the passwords on a TXT file that is encrypted with WinZip AES 256 bit using a master password.

User avatar
GS3
Level 4
Level 4
Posts: 424
Joined: Fri Jan 06, 2017 7:51 am

Re: security questions...

Post by GS3 » Sun May 20, 2018 11:01 am

A really simple and unbreakable encryption system is by what is called the one time pad. No special software is needed. Take your text file holding all your passwords and XOR it with a file of random bits which is the key. Then you get as a result of the XOR operation an encrypted file. Without the key it is impossible to decrypt the file. Now take the encrypted file and XOR it with the key and the result is the original file. This, obviously is only practical for a limited number of files because for too many files it is unwieldy.

Generating a (key) file with random bits is extremely easy. There are random bit generators online but you can also take any compressed file (.jpg, .avi, .mpg, .mp3, .zip, etc.) cut off the header and you have quite some random bytes there. If you want even more randomness just XOR several of those files.

I have used this system with people who do not have any "proper" encrypting software or just to store information, including PGP keys. You can use as key any file generated for that purpose but you can also use any file of the OS or your own. You have thousands of MP3s or JPGs; just choose one and you can use it as the key. You can store it on your phone and someone would need to steal your computer and your phone *and* know the process of decrypting.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-138-generic X64 - Cinnamon 3.4.4 - Nemo

Post Reply

Return to “Newbie Questions”