So I have now moved from fedora workstation to Silverblue (fedora).
With all of the Privacy/Security of Silverblue, why is the recommendation on having a strong password to login to Silverblue? My risk is probably the lowest of anyone. No one else uses my PC. My use case has been described as; “internet browsing, reading, watching videos, stuff like that.”
Is there an Internet external threat while I’m online that a strong login password protects me against?
My router is set for 9.9.9.9 Quad DNS.
Edit: Solution summary:
It does appear that Best Practice is to simply have a strong password. It will make it more difficult for any remote access “bad actor”. That definitely was what I needed to know. Thank you.
That’s a standard recommendation that applies to anything you log into. Not just exclusive to Silverblue. It’s always best OPSEC practice to ensure strong passwords for everything. Nothing novel of a reason here.
Weren’t you using Mullvad VPN anyway? Don’t do this then. Use the VPN DNS itself.
It’s always best to ask your questions in one post. Because advice for some things may make it inapplicable or bad if you’re trying to do something else even if said advice independently is good.
Totally agree. The scenario I had in my head was of a non technical user (maybe a family member) getting access to stuff OP wouldn’t want due to no password.
Yes, I definitely am using Mullvad VPN. I think you are saying this bypasses the routers DNS, so I should disable the Routers DNS setting?
My wife’s PC’s, her phone, my phone all use the wifi through the router, so my thought was to have the router DNS set to Quad 9.9.9.9. (I think you are saying this is unnecessary?)
Posting questions on Privacy:
I was afraid that posting a separate question such as: (Why use a strong Linux password) would get lost in a different question.
I will certainly change that for the future, if that is not best practice.
So far it sounds like physical access is the main reason for a strong Linux login password, not a concern of “internet related access” from bad actors.
Any malware would need your password to do a lot of things, so setting one that’s not easily guessable prevents that, assuming they’re not able to keylog you for it. Also if you’re running ssh for example you want a strong password so an attacker can’t remotely attack you.
Oh! I think I understand. No, I use only default Mullvad settings.
Currently I am using the Mullvad browser downloaded from Flatpack and was advised that is not a “true” Mullvad browser. I am determined to use the Mullvad browser but have had issues:
The fedora “dnf” installation from Mullvad website fails. I use “toobox” for dnf install. The library and downloading work but during the installation, there are too many failures (permission errors I think).
I did a straight download of the Mullvad browser from their website, unpack the tar file, but could not find instructions on how to install the browser using that method. (i sent a request for instructions to Mullvad support.)
Probably not. Your PC most likely does not have a routable IP address and cannot be remotely accessed even with an active SSH daemon. There is also probably a firewall somewhere between the PC itself and the upstream router preventing incoming connections. I’ll dissent and say that overall a strong root password is unnecessary.
I use a custom Linux firewall/router, not consumer hardware. But even with consumer hardware, assuming that the “router” isn’t somehow misconfigured, there shouldn’t be anything that can be attacked in the first place. You can’t absolutely rule out vulnerabilities, but a week root password isn’t typically how “hackers” take control of a remote host.
I am not advocating for a weak password, but there are usability trade offs. If you do a lot of sysadmin work, a long and complex root/sudo password isn’t practical, as it is something you repeatedly enter. The real solutions are elsewhere (things like key-based authentication, isolation through users, containers, etc.)
This is a big if though. But for OPs seemingly average threat model, you’re advice appears to not really applicable even if not technically inaccurate.
But that’s my opinion. OP should still stick with a strong password.
So, if I understand the mechanics of the risk, if a bad-actor is able to be on your network and you are using your PC, they could make access to your “online” PC because they crack your “unsafe password” through something like SSH to you?
I just find it a pain to have to type in a complicated password everytime I start up the PC or if it locks while away, if I don’t have any real risk. It’s just myself and my wife at home and of course our two dogs…… So I wondered if I really had any risk requiring a complex password.
I mean, this thread/question/post is marked solved. I don’t really have a better answer. Best OPSEC practice still is to always have a strong password. It really ends there.