Timeline for Why would having a user without a password be a bad idea (in this scenario)?
Current License: CC BY-SA 4.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 11, 2021 at 16:29 | vote | accept | zpangwin | ||
| Jun 11, 2021 at 16:28 | comment | added | zpangwin | You and FelixJN both had very good answers but the way you worded yours - especially the line " The risk isn't so much the software you know, its the software you didn't think about." - seems to have got me thinking much more on it and I think contributed more to me arriving at "Any concrete examples where a blank password can be exploited are really only temporary security bugs/security misconfigurations that haven't been patched yet" so I think it is only fair to mark that as the solution. | |
| Jun 11, 2021 at 16:21 | comment | added | zpangwin | ^ e.g. just like fixing bugs (or security issus), there is always another config / setting that could be tweaked or a new one that comes out when you update packages. In other words, it might be fair to say that the issue with a non-root account having a blank password isn't an issue in and of itself; essentially, it acts as a convienent stepping stone for an attacker when another more serious issue is present and issues of this type will always be present in any evolving system (and probably in any finished systems created by imperfect beings). So any concrete example would only be temporary. | |
| Jun 11, 2021 at 16:08 | comment | added | zpangwin | ^ Your points are perfectly reasonable; so are FelixJN's. Starting to see one problem with my question/OP in that it doesn't blatantly say that auditing has been done but even if I changed the wording to "every possible precaution/safeguard except non-root password has been implemented", it'd still be there. Part of me is still wanting to hold out for a "concrete" example; I feel like I'm still missing a critical piece of how an exploit actually uses a blank password on an otherwise well protected system. But I guess this might be something like Linus's saying that all security issues are bugs | |
| Jun 11, 2021 at 15:54 | comment | added | zpangwin | I think I see your general point about (at least for most people) not being aware of all things on the system. I think this could be mitigated against at least somewhat by more advanced users and/or running auditing tools like lynis (which I am now curious if this tool would flag a blank password lol). For email servers/openssh stuff, I guess I have been thinking that in terms of a home network those would most likely only be vulnerable via LAN/wifi (I guess some people don't use home routers but seems likely anyone setting up FDE would know to do that much). Do routers not protect somewhat? | |
| Jun 11, 2021 at 14:32 | history | answered | Philip Couling | CC BY-SA 4.0 |