Are PINs secure?

Are you telling me that the admin password is, by default, some sort of short pincode?

I wonder if people change this to make it be a real/secure password? pincodes (usually 4 or 6 digits) are obviously insecure.

1 Like

The default password for LUKS and the user account in the PureOS ARM64 image is 123456, whereas in Mobian, the user account password is 1234.

1 Like

Up to a point I agree with you that this is an area that can be improved but …

… this is overstating it.

  • A PIN that unlocks some kind of trust module is “obviously” secure. Because you get “3” goes and after that even the correct user PIN won’t work (requires admin unlock).
  • Any system that takes more general evasive action after a small number of bad PINs is somewhat robust with a 4 digit PIN but better with a 6 digit PIN. (For example, set your internet banking password to a 6 digit PIN and make a few incorrect attempts. :wink: OK, probably your bank won’t even allow you to conduct this experiment but the point is that even a weak password is somewhat safe in the face of evasive action. You bank should lock your account after a few bad passwords, regardless of how weak or strong your password is.)

If the unlock screen took evasive action after a few bad PINs and shut down then you would require the LUKS passphrase to recover from that situation and it is “assumed” that all sensible people do change the LUKS passphrase from the factory default to something long and strong, and the power of defaults suggests that the first time boot should force you to enter a new non-default LUKS passphrase. You can tie the LUKS unlock to the OpenPGP module if you want.

There are in general security v. convenience trade-offs.

Other people have talked about not even having a user unlock PIN. Once you control all of the code of the phone, exotic options like that open up to you.

A static default password is not great (whether strong or not). Routers long ago moved beyond that because it was a known weakness (because customers don’t change the password).

You can disconnect the admin password from the user password completely by adding a second account, adding that new account to the sudo group, and then removing the default user from the sudo group.

There is a larger set of passwords too. For example, because the default keyring unlock functionality doesn’t work yet, you end up having a separate password for the keyring. (You can set that password intentionally to the same as the default PIN but that wouldn’t exactly be recommended practice. :frowning_face:)

You can read in this forum for a fact that some customers do because at one stage you had to do this from the shell.

1 Like

Which I’ve been told is a 6 digit pincode: 123456.

Just as with people’s arguments here about how Google, Firefox, et. al are using “inertia” (by using permissive defaults), we know that most people won’t change their LUKs passphrase unless forced.

Yes. But there still needs to be something to stop the “insecure by inertia” —> forcing an immediate password change.

Not just “can” … but “should”. Synology started encouraging users of their NAS to set it up so they can use the self-hosted apps on the NAS outside the LAN. They called this “QuickConnect” and made it simple. Within 6 months or so … they warned users that they should change the name of the “admin” account to an unpredictable username. Why? Because people started brute-forcing the “admin” logins for their QuickConnect users.

Having a predictable admin account name (e.g. root, admin) accessible via ssh passwords known to be bad.

1 Like

You are correctly informed.

I think it might actually prompt for a new one on first boot but I have never seen that - maybe because I change it on the host computer after downloading the disk image and before flashing it to the phone. (That way if I ever have to reflash, what gets reflashed is out-of-the-box fully secured as far as LUKS is concerned - reencrypted, changed slot passphrase, adjusted slot encryption parameters.)

I agree.

I think we have to accept that root is here to stay though. I wonder how many things would break if root were renamed (keeping the same uid and gid).

So the workaround for some Linux families is that the root account doesn’t get used for admin purposes. (The root account is disabled by default on the Librem 5 although I don’t think it breaks anything as such if you enable it.)

I have certainly set that up on my phone i.e. an unpredictable admin account name.

I believe that initially Purism wanted to change the default user account name but one thing broke and so they left it as is for now. That of course doesn’t prevent any motivated customer from addressing it. However, as you say, it should be secured to a high level out-of-the-box (“power of defaults”).

I think an awful lot of the defaults in this area could be improved on the Librem 5 but perhaps Purism has higher priority issues to address.

1 Like

There are no prompts to change any passwords on either the PureOS ARM or Mobian image. One of the very few prompts I can recall from the operating system itself, other than general updates, is the Deja Vu Backup. Mobian has prompts during initialization whenever external media is mounted, but that does not happen at all on PureOS Byzantium.

3 Likes

Depends where you stick 'em!

1 Like