security questions...

[avinator]

Should I set a root password ? If someone has access to my machine, how easy is it to break in on a 25 + char / nbrs / symbols password ?
Can they reset my password using root if root dosen't have a password ? is my home folder "safe" ?

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.

Is mint as secure ?

[shawnhcorey]

Do not set the root password. You can do everything you need using sudo. Open the Control Center and choose Users and Groups from the Administration section. Check on the Advanced Settings button and enter your password at the prompt. In the next window, click on the User Privileges tab and check every box. You now have full privileges to do everything.

BTW, when you entered your password for the Advanced Settings, you use sudo.

[karlchen]

Hello, avinator.

Your password will be almost unbreakable. (Might take months or years to break it using brute force.)
BUT:
If someone has got physical access to your machine and if it is possible to power on your machine without having to enter a Bios password, then it will be possible, too, to boot the machine using a Linux live system e.g.
Once such a Linux live system has been booted, it will be possible to mount the filesystems on your harddisk and have full access to everything on the harddisk.

If someone has got physical access to your machine, but powering up the machine can only be done by also entering a Bios password, in this case booting the machine using a live system will not be feasible without knowing the Bios password.
Yet, it will be easy to remove the harddisk from the computer. The thief can attach the harddisk to another machine and will have got full access to its content.

The only way of preventing access to your data efficiently, is encryption: you have to encrypt your home directory and its content or you have to use full disk encryption.
In this case having physical access to your machine and to your harddisk will not help, unless the password is also known, which is needed to unencrypt.

Best regards,
Karl

[Pepi]

Set the root password
1.3. In Linux Mint 18.3, the root password is unfortunately no longer set by default.

This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.

He can then do all kinds of nasty things. Like changing your own password....

This is how to fix it, by setting a password for root (preferably identical to your own password):

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following line into the terminal:

sudo passwd

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.

Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.

That's it! Problem solved.

For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.

What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat.

[karlchen]

Hi, Pepi.

Thanks for quoting Pjotr's article on how to re-enable and protect the root account by assigning a password to it.

Once this has been achieved, a person who has got physical access to the machine, will have the following ways of accessing the system nonetheless ... Cf. post above.

Best regards,
Karl

[Faust]

There is no " one-click-fix" to this problem .

People need to choose their defenses according to their perceived adversary .....
.... industrial espionage ( at conferences ? ) , LEA , family member , neighbor , fellow students in a dorm ?

An unattended device is very vulnerable , as mentioned in previous posts here , even if it is powered-off .
USB based attacks may still work ..... " Evil Maid " , Rubber-Ducky etc .

For those interested in further protection , at the " outer limits " of this semi paranoid stuff , check out " Haven "

https://theintercept.com/2017/12/22/sno ... ur-laptop/

[altair4]

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.

OSX is a sudo based operating system just like Mint.

In order to edit a system file in macOS using say .. nano you have to preface the command with sudo as in:

Code: Select all

sudo nano /etc/hosts

[lsemmens]

If you want perfect security. Don't print anything, don't save anything, don't use a computer, or pencil and paper. Remember everything and then kill yourself, because you might talk, if tortured,

For the rest of us. Common sense prevails. What is so sensitive that you must protect it? That will determine the level of security that you apply, How, where. who has access, are the questions that need to be addressed by all of us. FYI my computers at home have no "security" per se, other than they all run LINUX. I even have some passwords stored somewhere accessible. The ONLY passwords that I do not have recorded anywhere are my Banking details. In 40 years, I have only seen ONE virus in the wild and NONE on my machines. For that fact I was a M$ user for most of those years having only recently migrating to Linux.

[smurphos]

So in summary.

Someone with physical access to your machine could

1) Dismantle the machine and swipe the hard drive and mount on another machine - mitigation - encryption.
2) Boot the machine from the installed OS and use the recovery GRUB option to try and gain root access - mitigation - BIOS password or set a root password.
3) Try and boot a live session from USB and mount your drives - mitigation - BIOS password or encryption.

Out of the box Linux is pretty secure against remote exploits in any case but should the user enable services (e.g. openSSH) that could provide a route in having a root password in this context brings the possibility of a successful brute force attack on the root user. My understanding is that not having a root password set in this context is safer as this effectively locks the root account entirely to remote access. The hacker could still attempt to brute force both a valid username and user password, but that is going to be much harder all else being equal.

Best solution - BIOS password and home-drive encryption with no root password. Suitably kooky username and decent user password. Be mindful of what you are doing if enabling server type services such as openSSH. Make use of UFW. Harden / sandbox your browsers.

Readers should be aware that if you originally installed 18.1 or below you have a root password set - unless you've specifically changed the root password since install it will be the same as you set your original user password when you first installed.

If the system was a fresh install of 18.2 or later you have no root password set.

[KBD47]

Once such a Linux live system has been booted, it will be possible to mount the filesystems on your harddisk and have full access to everything on the harddisk.

To piggyback on this for a moment--if someone can access files on your machine like this, can they get into Internet browser information? That would be my only concern, access to stored user names and passwords in Chrome or Firefox browsers. That could potentially get them banking information and access to paid accounts. If that is the case, everyone should use full disc encryption by default on any machine that they take out in the wild.

[smurphos]

That's a good question - I know that Chrome/Chromium encrypt locally saved passwords via Gnome Keyring (so the user password is needed to decrypt). Firefox also states they are encrypted - I'm not sure if that's reliant on setting a Master Password in Firefox or not.

Re using browser saved passwords in general I'm not sure if this exploit has ever been fixed...basically widespread abuse of saved login credentials and autofill capabilities used by third-parties to collect usernames for tracking purposes. I stopped using browser saved password several years ago and stick to Keepass now. I stopped using all autofill capabilities at roughly the same time.

https://freedom-to-tinker.com/2017/12/2 ... -managers/

[KBD47]

That's a good question - I know that Chrome/Chromium encrypt locally saved passwords via Gnome Keyring (so the user password is needed to decrypt). Firefox also states they are encrypted - I'm not sure if that's reliant on setting a Master Password in Firefox or not.

Re using browser saved passwords in general I'm not sure if this exploit has ever been fixed...basically widespread abuse of saved login credentials and autofill capabilities used by third-parties to collect usernames for tracking purposes. I stopped using browser saved password several years ago and stick to Keepass now. I stopped using all autofill capabilities at roughly the same time.

https://freedom-to-tinker.com/2017/12/2 ... -managers/

Thanks for that info!
I wonder if Privacy Badger and, or the tracker blocker in the newer Firefox stops this browser issue? If not, that is a big problem.
Glad to hear these browsers passwords are encrypted, though gnome keyring seems hit or miss with different distros and desktops. I'm using Debian 9 with MATE right now and it has not once asked me for a password launching Chromium, though I know other distros have in the past.

[karlchen]

Hello, KBD47.

About encrypted passwords, saved by Firefox inside the Firefox user profile:

Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so.

The only way to prevent unauthorized people from using Firefox to load your profile and decrypt the passwords for them, is by encrypting all passwords by a master password. I.e. the saved passwords will be encrypted using this master password. Without knowing the master password all other saved passwords in the Firefox profile will be inaccessible. No way of recovering them, in case you lose your master password.

In addition to my explanation, let me point you to the official Mozilla knowledge base: Master Password.
And how to Use a Master Password to protect stored logins and passwords.

Best regards,
Karl

[Hoser Rob]

... Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so. ...

So will Chrome. Really, if someone else has physical access to a machine it's all over security wise.

Don't set a root password, use STRONG passwords (using quotes isnt enough eg.) on both your computer and router, and remember that using security tools you don't understand may make things worse.

[KBD47]

Hello, KBD47.

About encrypted passwords, saved by Firefox inside the Firefox user profile:

Yes, the passwords are encrypted. But this encryption is not really safe. You only need a running Firefox instance, which uses the (stolen) profile, which in turn holds the stored passwords. Firefox will happily use it and happily reveal the passwords in clear text, if you ask it to do so.

The only way to prevent unauthorized people from using Firefox to load your profile and decrypt the passwords for them, is by encrypting all passwords by a master password. I.e. the saved passwords will be encrypted using this master password. Without knowing the master password all other saved passwords in the Firefox profile will be inaccessible. No way of recovering them, in case you lose your master password.

In addition to my explanation, let me point you to the official Mozilla knowledge base: Master Password.
And how to Use a Master Password to protect stored logins and passwords.

Best regards,
Karl

Storing passwords in clear text is really dumb on the part of Firefox. Firefox requires a password to sync to settings and passwords to start with, they should require that same sync password to be able to see passwords in clear text. Would be a simple solution. Not sure what they are thinking there.
Thanks for that info! Will check out the links.

[KBD47]

So will Chrome. Really, if someone else has physical access to a machine it's all over security wise.

Don't set a root password, use STRONG passwords (using quotes isnt enough eg.) on both your computer and router, and remember that using security tools you don't understand may make things worse.

More and more I'm thinking full disc encryption is the only smart move for any computer that leaves the house.

[GS3]

Full Disk Encryption is, obviously, a good thing but it requires HDD and motherboard who support it. Most people would not change hardware just for that. I have a laptop with WIN XP for which I bought a HDD which supports FDE. It is still waiting for me to install it. Maybe I'll get around to it.

For most ordinary users there is no serious need to encrypt the OS and encrypting the user's files would be enough. In my WIN XP laptop I use PGP to encrypt a virtual HDD which holds all my personal files. The PGP keys are stored in a separate USB pendrive or a memory card. So, I need to insert the memory with the keys and then mount the virtual drive which holds all my files. When I am not using the computer the card is with me, not the laptop. If the laptop is stolen there is no risk of the files being accessed. Making a backup of the files is as simple as making a backup copy of the PGP file which holds the virtual disk. Simple, easy.

For websites and any other place which requires credentials I just do not understand the need for the browser or the system to remember my passwords. No way! I want to input the password myself each and every time. Anything else diminishes the security. I am not lazy for this and I do not understand how people can be so lazy about this. It's like leaving the key to your house under the welcome mat. Reminds me of the WPA WIFI routers with WPS. Yeah, great idea to make WPA virtually unbreakable and then, to make it easier, provide a back door which is trivial to break.

[chazb]

Should I set a root password ? If someone has access to my machine, how easy is it to break in on a 25 + char / nbrs / symbols password ?
Can they reset my password using root if root dosen't have a password ? is my home folder "safe" ?

I'm coming from OSX and with their OS, it's nearly impossible to "break in" unless you have the password.

Is mint as secure ?

if you are the only person using your computer, no you don't have to. If there are other people using your computer, then yes you should, simply because they can, if you don't. That said, if you set one, (don't use it).

[Executioner]

What about the addon LastPass? I've been using that with a master password of 15 characters.

I also make a backup copy of the passwords on a TXT file that is encrypted with WinZip AES 256 bit using a master password.

[GS3]

A really simple and unbreakable encryption system is by what is called the one time pad. No special software is needed. Take your text file holding all your passwords and XOR it with a file of random bits which is the key. Then you get as a result of the XOR operation an encrypted file. Without the key it is impossible to decrypt the file. Now take the encrypted file and XOR it with the key and the result is the original file. This, obviously is only practical for a limited number of files because for too many files it is unwieldy.

Generating a (key) file with random bits is extremely easy. There are random bit generators online but you can also take any compressed file (.jpg, .avi, .mpg, .mp3, .zip, etc.) cut off the header and you have quite some random bytes there. If you want even more randomness just XOR several of those files.

I have used this system with people who do not have any "proper" encrypting software or just to store information, including PGP keys. You can use as key any file generated for that purpose but you can also use any file of the OS or your own. You have thousands of MP3s or JPGs; just choose one and you can use it as the key. You can store it on your phone and someone would need to steal your computer and your phone *and* know the process of decrypting.