Linux Unleashed, Third Edition:Getting Started

-->

Passwords

In Linux (and just about all other UNIX systems), the superuser login name is root. No matter how humble or huge the system, if you can log in as root, the system is wide open for you to do whatever you want. Obviously, letting just anyone log in as root is unacceptable because it exposes the system to potentially serious damage.

To prevent unauthorized access, the root login should always have a password, and that password should be secure. You may have noticed that Linux may not have asked for a root password on your system. That is because, on installation, the root password is set to the null string, which is a word with no characters. With root and any other login, Linux does not usually bother asking for the password if it’s the null string. On the other hand, if you were asked to set a root password during installation, you will have to enter it at the password prompt.

The null string is the least secure password there is because anyone who knows a valid username (such as root) can access the system. It is up to you to change the password. Linux lets you choose what the new password will be and accepts it without complaint. Unfortunately, this can lead to a false sense of security.

It is common knowledge that in the past users often chose passwords that they could easily remember: their dog’s name, their birthday, their hometown, their spouse’s name, and so on. The problem is that these passwords were also easy to break, either through guessing or by more sophisticated means. This led some system administrators to insist on difficult-to-break, randomly picked passwords (such as S8t6WLk). People could not remember these passwords at all, so they wrote them down and placed them on their desks. Others who were trying to break into the system would find the passwords and gain use of that login.

For this reason, system administrators recommend you choose a password that is not a personal identifier and is not a single word that can be looked up in the dictionary. This is because some password-cracking routines simply scan through a large dictionary, checking each word. Try mixing letters and numbers together. For example, instead of choosing the password pepper, try pep4per. It’s very difficult for a password-cracking routine to get all the possible combinations of every word mixed with a number in a dictionary.

The best passwords are ones with combinations of upper- and lowercase letters and numbers that are still easy to remember. Fri13th, 22Skidoo, and 2Qt4U are just a few examples. These hard-to-guess passwords are known as strong passwords, while easy-to-guess ones are called weak.

For the best security, passwords should be changed every so often. Many system administrators recommend once every two or three months as reasonable. This guards against dictionary-based guessing attacks and also minimizes damage when the password has been broken but nothing has been done with it yet.

Note:
Don’t leave your terminal unattended while you’re logged in. The idly malicious may take the opportunity to make some changes to your files or send a nasty mail message to people you’d hate to alienate. Always log out or lock your terminal when you leave. Of course, if your system is in the basement or spare bedroom and there’s no one else in the house, and you’re not networked or connected to a modem that’s online, then you don’t have to worry too much about break-ins or malicious damage. Still, logging off when you leave your desk is a good habit to cultivate and prepares you for when you go live to the rest of the world through the World Wide Web and the Internet.

Of course, the amount of system security you require depends on how much access there is to your system and the sensitivity of the information found on it. The root password should always be a good, secure one. If nothing else, it will discourage you from casually logging on as root, especially if you leave your user logins with null passwords.

If you are using Linux at home for experimenting, much of the security worries mentioned previously may seem silly. However, it doesn’t ever hurt to use good security, and the practice can be carried over to larger UNIX systems at work.

We change or assign a password for the root login (or any other login, for that matter) using the Linux command passwd. The spelling of the command has its history in the development of UNIX when long commands, such as password, were avoided due to the number of characters that had to be typed. Only someone logged in as root can change the root login (no other login has such privileges), but the root login can change any other login password. A user can almost always change their own login password, unless the system administrator has prevented that action.

To change the root password at the system prompt, login in as root (if you haven’t already) and type the command passwd. You will see the following messages:


darkstar:~# passwd

Changing password for root

Enter new password:

At the prompt, type your new, secure password. What you type is not displayed on the screen. This keeps anyone looking over your shoulder (called “shoulder surfing”) from reading the password you’ve just entered.

Warning:
Make sure you type the password slowly and carefully. If any other user’s password is lost or forgotten, it can be reset by the root login. But, if the root password is lost or forgotten, you must reinstall Linux.

Because it’s so important that passwords are entered correctly, the system double-checks the spelling of the password for you by asking you to type it again:


Retype new password:

Table of Contents