1

I am really bad at remembering long passwords (but i can remember short random ones very well) and that is why i would prefer to be able to use password that are relatively short, but I'm afraid those would lower my system's security.

In order to increase security over a short password for sudo I wanted to increase the delay between failed attempts.

What would you consider a good guidelines for setting up the delay of sudo in pam relative to the passwords length?

Do you consider this method to be problematic/unsecured or where do you think it can fail.

If it is problematic what would be a better alternative to fight hard to remember long passwords.

(the computer in hand is not a server and does not allow any kind of remote accesses with ssh/rdx or such, i use it as my personal desktop)

Improve this question
7
  • Hmm... Doesn't sudo usually just use the password for your "normal" account? So if you remember your normal password, you also got the password needed to become root with sudo. Yes, you can set a root-password and use su, but that doesn't involve sudo. If you decide to use su be sure to restrict which users can use su - either by config of su, or by limiting execution-rights. Problem with sudo is that if your user-account password is weak, so is the one needed to become root - and if they first crack your normal account, they can also sudo from it. Commented Mar 18, 2017 at 10:24
  • I'd suggest memorizing a good password for your user-account - and then use it to authenticate sudo also. If it's a short password, you probably should add a longer delay on your normal log-ins too, not just when using sudo. As for sudo, unless you use it very frequently, I guess you could add a very long retry delay, without it being too irritating for yourself. Besides, sudo "remembers" the password for a little while, so if you use sudo twice 5-10 minutes apart, you'll only need to enter password once. Commented Mar 18, 2017 at 10:29
  • @BaardKopperud the default configuration of sudo is indeed to use your normal password, but you can change that in PAM configuration. Commented Mar 18, 2017 at 10:37
  • @jNull, what are you using to modify the delay? You mention PAM, which module? Commented Mar 18, 2017 at 10:48
  • @ilkkachu i dont know much about pam but i came across this askUbuntu answer Commented Mar 18, 2017 at 11:36

1 Answer 1

Reset to default
2

I didn't double check the implementation(*), but if the delay set by pam_faildelay gets implemented as a simple sleep, it will cause a single login attempt to take a longer time (thus annoying the user), but will not in itself limit the number of simultaneous login attempts.

This somewhat undoes the intent of the delay, since someone trying to brute-force your password could simply open hundreds or thousands of login attempts simultaneously. Mostly they would spend their time sleeping, so the load on the system might not even be noticeable.

What you need to do, is to limit the rate of login attempts, not the duration of a single attempt. For a network service, I'd suggest limiting it on the network side (say with iptables on Linux), but I don't have a solution to give for PAM.

(The policy side of this, the password lengths and time limits, might be more suited to security.SE.)

(* Because I didn't have the time. The delay appears to be set through PAM, and might go to the application to implement. But it's unlikely to be implemented as a busy loop, and any program that implements rate limiting)

Improve this answer
2
  • i might should have made it more clear, I'm mainly worried about a program run by a user that can use sudo that has some evil code in it rather then a remote attacker. Commented Mar 18, 2017 at 13:14
  • 1
    @jNull A malicious program executed by a user with sudo rights is game over, changing sudo parameters won't make any difference. The program can plant malicious code on the user's account that will stealthily trigger the next time the user uses sudo for some legitimate purpose. A non-root trojan can be discovered in theory, but in practice it's highly likely to escape unnoticed. Commented Mar 18, 2017 at 23:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.