On 19 Mar 2024 17:42 +0300, from daydreamer199...@gmail.com (Jan Krapivin): > The thing is my password is very easy now, and i haven't thought about > *"automated > connection attempts"*, that sounds rather... scary? My password is easy > because i am not afraid of direct physical access to the computer. > > But... if there is a serious network danger, then i should change my > password of course. But how strong it should be? If we speak about network > attacks... it should be like 32 symbols with special symbols? Or this > paragraph in a handbook is rather paranoid? > > I have activated sudo now for my regular user. Can it (password of regular > user) be less sophisticated than root password? Because it would be rather > difficult to enter 32 symbols every time i wake my PC after suspend.
My suggestion for a memorable password is to use a _passphrase_ instead. I discuss my approach at [1] and to a lesser extent at [2], both of which you may find worth your while to read through. At [1], the most relevant section would be the one on passwords you must memorize. A 6-7 word Diceware passphrase [3] will provide very much adequate security unless your threat model includes a nation-state government brute-forcing your password; which chances are it doesn't. I recommend using the EFF's long word list [4], but any "five dice" (7776 entries) Diceware word list will provide equivalent security when used with a word separator. (Unless using a word list deliberately designed for that use case, Diceware passphrases have reduced security when used without a word separator. The EFF long word list takes this into account and therefore doesn't strictly require word separators to achieve the intended degree of security.) Two examples of such passphrases are: pedometer settling stretch endocrine elusive unpaid rented; or: valiant overtime last drab carol landslide supper. (Naturally, please don't use either of these.) The xkcd example [5] is: correct horse battery staple; but four words is relatively weak. Such a 7-word Diceware passphrase has roughly equivalent strength (about 90 bits' worth) to a 15 characters mixed-case alphanumeric traditional password such as ieraey6Wic1Shoh, or an 18 characters single-case alphanumeric password such as gav7it7aetiengo9ei; but is arguably much easier to remember and type. Even a 6-word Diceware passphrase (about 77 bits' worth of security) will virtually guarantee that the weak link in your security will not be your account password, yet if you are a reasonably good typist can be typed accurately in a few seconds with a bit of practice. Also, many variations of [6] apply. Technical protective measures can only go so far, BUT that doesn't mean that they are useless; far from it. For most values of "you", most attackers don't care about _your_ account, or _your_ system; they care about _any_ account, or _any_ system. Actually targeted attacks do happen, but very rarely compared to what might be thought of as attackers throwing stuff at the wall and seeing what sticks. (There's even a term for that: Internet background noise.) So _even more important is probably to keep your system up to date on software._ Install updated versions of packages promptly as they become available in the Debian repositories. If you have any out-of-tree packages installed, make sure to set up so that you get notified of updates to those. Software bugs, especially but not exclusively in software that is exposed to the network in any way shape or form (this very much includes something like your web browser), is likely a bigger risk to most people than is a halfway decent password being brute-forced over the network. [1]: https://michael.kjorling.se/password-tips/ [2]: https://michael.kjorling.se/blog/2023/forget-what-everyone-tells-you-makes-a-password-strong/ [3]: https://www.diceware.com/ [4]: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases [5]: https://xkcd.com/936/ [6]: https://xkcd.com/538/ -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”