# Security of very weak root password

## Atomic Fusion

Is it inherently insecure to have a very weak root password or an auto-login to root, assuming precautions such as disabling SSH login to root and preventing su (with sudo using the user password)? If someone has physical access, they're already in as root, so aside from SSH/su, would there be any other things that would need to be restricted or disabled?

----------

## mattyboy

 *Atomic Fusion wrote:*   

> Is it inherently insecure to have a very weak root password or an auto-login to root, assuming precautions such as disabling SSH login to root and preventing su (with sudo using the user password)? If someone has physical access, they're already in as root, so aside from SSH/su, would there be any other things that would need to be restricted or disabled?

 

Yes it is insecure to have a very weak root password, or auto-login as root!

I'm not sure about what you'd want to restrict or disable, but I can tell you this, if you are auto-logging in as root, everything you do will be ran as root, which means if an attack was made on something you are running, and they can get some arbitrary code to execute, then that code will be ran with root privileges... This makes it much easier to do very bad things to your system!

Auto login with root is also dangerous if you are using it for daily work as well because it will make it much easier for you to accidentally change core system settings, or accidentally delete important files!

All in all it's a bad idea to use root as an every day account, as for the weak password, it'll just make it much easier to brute force, or crack, especially if it's a word in the dictionary!

Whatever you are trying to do, don't use that machine for anything important!!

I hope this helps!

----------

## phajdan.jr

 *Atomic Fusion wrote:*   

> Is it inherently insecure to have a very weak root password or an auto-login to root, assuming precautions such as disabling SSH login to root and preventing su (with sudo using the user password)? If someone has physical access, they're already in as root, so aside from SSH/su, would there be any other things that would need to be restricted or disabled?

 

Yes, if you know you have a weak password it's very stupid. What if you forget to plug just that one thing which authenticates root based on the weak password?

----------

## mattyboy

 *phajdan.jr wrote:*   

>  *Atomic Fusion wrote:*   Is it inherently insecure to have a very weak root password or an auto-login to root, assuming precautions such as disabling SSH login to root and preventing su (with sudo using the user password)? If someone has physical access, they're already in as root, so aside from SSH/su, would there be any other things that would need to be restricted or disabled? 
> 
> Yes, if you know you have a weak password it's very stupid. What if you forget to plug just that one thing which authenticates root based on the weak password?

 

Exactly, it's hard to fully secure everything, plug every little hole... It's much easier to set a secure password so that, in case you (likely) miss something, you'll have that protection! 

If someone gets root, you're screwed... it's best to make it as hard as possible!

----------

## Hendrikus

TIP: If you have problems with remembering your password and you want a strong one; make a sentence that you can remember very easy, like something: 

"I was born in Amsterdam on Damsquare number 14."

You take then every first letter from this sentence and you get:

IwbiAoDn14

The first 4 or 5 times its difficult, but soon you type it without problems and you'll have a very strong password!

----------

