My quest to eliminate passwords

I hate having to enter passwords, and the Librem 5 is configured to make me enter passwords all the time, which is damn annoying! I don’t want any stinkin’ security on my personal spying device!

The first thing that I eliminated is the hardware encryption. I know from bitter experience that having an encrypted harddrive is a recipe for me to lose my data in an emergency, so I got rid of the disk encryption which means one less password to enter when booting the phone.

Here is how I flashed my phone to get rid of LUKS disk encryption:
./scripts/librem5-flash-image --variant plain

I figured that there was no reason to make myself enter a password when issuing a command as sudo since I am the only person using the phone, so I issued the sudo visudo command to change my /etc/sudoers file from:
%sudo ALL=(ALL:ALL) ALL
to:
%sudo ALL=(ALL:ALL) NOPASSWD:ALL

Now it is much more enjoyable to play with my phone without having to always enter stupid passwords in the terminal!

Unfortunately, I couldn’t find a way to do auto login in Phosh. Annoyingly PureOS doesn’t want to allow any passwords shorter than 6 characters long, which means 1000000 (10^6) possible passwords if we limit the password to just numbers. In contrast, Mobian is fine with a password 4 characters long, which would be 10000 (10^4) possibilities. Nobody in Bolivia who finds my phone is going to have any idea what to do with it (including my wife), so why bother with long passwords!

I decided to set the minimum password length to just 1 character, by issuing the command:
sudo nano /etc/pam.d/common-password

Then I changed the lines from:

password  [success=2 default=ignore]  pam_unix.so sha512
password  [success=1 default=ignore]  pam_unix.so obscure use_authtok try_first_pass yescrypt

To:

password  [success=2 default=ignore]  pam_unix.so sha512 minlen=1
password  [success=1 default=ignore]  pam_unix.so obscure use_authtok try_first_pass yescrypt minlen=1

Then I set the password from the command line to something really short and sweet:
passwd
For some reason, my changes make it impossible to change the password in the Phosh interface under Settings > Users > Password, but who needs a lousy GUI when we have a cool command line to play with?

Having a password 1 character long means that there are only 80 possible passwords, so it should be nice and easy to crack if anyone picks up my phone! However, having to enter one character at the login screen was still taking me too much time. I tried setting minlen=0, but PAM interpreted that as minlen=6. Rats!

I wanted to eliminate that annoying login screen all together, but that doesn’t seem to be an option in the Phosh code. It appears that Guido Gunther worked on a setting to disable the lock screen in Phosh, but then he decided to not implement it. Rats again!

However, I found another of Guido’s changes last year that lets me set a lock delay in the L5:
gsettings set org.gnome.desktop.screensaver lock-delay 3600

Now, I can press the Power button to blank the screen and then press it again to bring back the screen and I don’t have to enter any password as long as I blanked the screen within the last hour. Unfortunately, if the phone enters suspend, I still have to enter a password when resuming. Oh well, nothing is perfect, but now my Librem 5 is as insecure as I can make it!

You can make it even more insecure: enable PDF-widget for lock-screen, write your password into a PDF file and save it into the connected folder. Now everyone can read it without trying to figure out which of the 80 keys are the correct one.
With my keyboard there are even 184 characters that can be entered via Squeekboard - a way too much work for local hackers.

Edit:
In fact, for some reasons it’s not that bad idea - give a look into this thread.

With the understanding that … you are the owner of the phone, you can do whatever you like with it.

The only exception to that is … if you communicate privately with someone and that privacy is compromised because your phone is compromised then you are letting the other party down.

Another option is to use the OpenPGP card to unlock the encrypted partition. That way you don’t have to remember the LUKS passphrase, only the card’s user PIN (and either the PIN or the passphrase will unlock the partition).

You may be right in practice but this is security through obscurity. Note though that a somewhat motivated thief could ask in this forum how to get back into “his” phone and we would happily help the thief. You might even help the thief yourself without knowing it.

By booting Jumpdrive, if you are not using LUKS, a thief can steal all your files without knowing your account password anyway.

I guess it depends on what information you are storing on the phone.

Or if you forget your own password.

If it’s on the network, you may not be the only person using the phone.

By having no sudo password, you are allowing the takeover of an unprivileged account to become the takeover of the whole phone. This of course pre-supposes the existence of some successful remote attack into the purism account.

So keep those switches in the ‘off’ position.

a great compromised solution between annoying passwords insertion and security is picture password! I financed Purism in app development website page with my 5$ as requested (although they told me isn’t mandatory for them to develop it) hoping to have it as soon as possible! Moreover, picture password is more difficult to be seen than digit password so safer way!!

Did you try to launch phosh with the -U option ? it should start phosh unlocked (it worked for me 2 years ago when I was doing some valgrind on phosh)

I made a few of the same changes as you.

Unfortunately my gnome keyring still prompts me to log in after logging in to phosh, and again whenever I launch any flatpak apps for the first time after boot. Not sure if I did something wrong there but I haven’t bothered trying to fix it.

I would also be interested in not having to enter gnome keyring passwords. In the meanwhile I have two of them one with the purism 123456 and one which was set by me and depending on if it’s an internal or a flatpak application I have to enter one or another. I would prefer not having to enter any password after logging into the session either via phosh or ssh.
From what I read above are mostly steps to eliminate LUKS and phosh session login passwords which are ok for me.

That’s a really cool hack! I might actually use that at the next Linux conference when I invite people to play with the phone.

I was thinking about using one of the obscure 6000 Unicode characters in my password and then creating a custom Squeekboard keyboard that contains that key. Then I realized that it would be a pain to remember the Unicode number for that character when using ssh to login to the L5. However, that led me to setting up ssh to login with a public key so no password is required. Of course, that defeats the purpose of making my phone as insecure as possible.

Knowing myself, I won’t be able to resist explaining to the thief how to boot with jump drive and then generate a new password for the purism user and insert it into the /etc/shadow file so she can login to the phone.

Heck, why wait:

sudo apt install whois
MYPASSHASH=`mkpasswd --method=SHA-512 --salt=MY_SALT --stdin` && sudo sed -i -E "s|^purism\:[^\:]*|purism:$MYPASSHASH|" /etc/shadow

Where MY_SALT is any random value that you want to be the salt to generate the SHA512 hash to put in the /etc/shadow file.
(Use at your own risk, since I just made up that line of code to illustrate how easy it would be.)

Careful… You might render your L5 more secure again, as the thief may not have that much time.

In this thread you explain how to make the L5 as insucure as possible. In another thread you tell us all the steps and effort you put into them in avoiding leaking and misusing your personal data. Isn’t that contradicting?

Only seemingly, if you lump all security, safety, privacy and usability issues as one. Everyone has their own risk profile that has various aspects weighted. I’m not pro this kind of full passwordlessness but this is useful for some - like, if you have visual impairment, trouble with fine motor skills or use alternative input methods.

L5 may be used to address some aspects that can not be addressed by other means. It’s not automatic that user can, will or should go straight to “360 365/24/7 air-tight mode”, if that doesn’t serve their needs to accomplish tasks. The dangerous precedent or contested area in this is probably that these may seem to some like a lure to (too much) convenience, which is often detrimental to security, safety, privacy etc. but at the same time, if UX (including UI and usability) is too demanding, that too may lead to not using more [not “most”] secure, safe and/or privacy protecting alternatives. Different people have different thresholds on this.

@irvinewade made a good point though, that gives a genuine point to hash out: " if you communicate privately with someone and that privacy is compromised because your phone is compromised then you are letting the other party down." How to take into consideration others [this same applies if someone is using other than linux phone] and their needs, if you lower some of the barriers (like using encryption and passwords)?

What are humans, if not walking contradictions

I have heard @Kyle_Rankin mention before the cross-section of Purism customers, interested in privacy, security, and software freedom.
I am way into software freedom and privacy, but care less about security, if that makes sense. So, at leasr I get it.

Do you mean just like with Blackberry OS 10? This OS was stunning and I’d absolutely love this feature.

This is a seriously underrated post.

You can usw seahorse to set an empty password…

Sorry Amos, I couldn’t read this with a straight face. I thought for sure you are pulling my leg. Still I can see some of your reasoning being a valid one.

Its a bad idea amosbatto,
you should have used USB or at least some minor alternative.

But you are right you can disable authentication and its ok. Its less harmless then selling all your data to AI and Microsoft, Google, Amazon, Facebook, Twitter, Tencent or someone else.

I would just use two different users.And both with encryption, but one without password. This way you could have two layers, one with secure safe data and one for a fast look into web surfing traveling and so on.

The issue you have to take care of is your privacy data which someone like to mine for there big data.

Why you have to take care about your digital identity is like every email and shopping account. Someone who conquered your phone, steal your identity and could buy in your name, steal in your name, rook your friends and family or create a bank account with your identity and rub up a dept.

You will not have that issues afterwards. Be careful!

Guy has a point. The security is…obnoxious. In leading junior developers, I’ve made the point that ‘Security is, by definition, inconvenience. The challenge is to make it inconvenient enough to make a pro get bored, while not driving an approved user crazy’. In my opinion they are darn close to that last condition.

There are websites that I just DREAD using now, because the developers have given up and made teh site 2FA auth, every login. So I have to get a text on my phone or check an email EVERY SINGLE TIME I LOGIN. Even if the last time was 5 minutes ago. That, to me is overkill. It makes me not want to use their site. I think if you get to that point, you made design errors earlier on and are now in HACK MODE. The basic functionality of a site should not require that level of inconvenience.

Now, I think the OP went a bit overboard in his ‘solution’, but it certainly was an entertaining and thought provoking read.

PureOS uses the script in /usr/bin/phosh-session to start Phosh. I can’t figure out how to pass the -U option to Phosh when starting. Here is the critical line of the script:

exec "${COMPOSITOR}" -S -C "${PHOC_INI}" -E "bash -lc '${GNOME_SESSION} --disable-acceleration-check --session=phosh --builtin'"

I have tried modifying what is passed in the -E option, but nothing seems to work for me.
Any ideas?

Ha ha. Yes, I did write that post tongue in cheek. I was trying to answer someone’s question on the PinePhone forum about how to shorten the password, and I thought that it would be funny to try and turn off all security. I found that that Purism makes that very hard.

Honestly, however, there are some options that should exist to give a better balance between security and usability. For example, for people who use their L5 as a convergent desktop computer, there should be an autologin option. I don’t think that a lock-delay should be the default, but it should be an option that is easily activated from the GUI, and it should work correctly with suspend, which it currently doesn’t.

I do find it annoying to enter a 6 digit PIN, when 4 is enough for most people’s security. Given that PAM sets a 3 second delay between login attempts, it is going to take a phone PIN punching robot 8.3 hours to try all 10,000 combinations in a 4 digit PIN, whereas it will be 833.3 hours to try all 1,000,000 combinations in a 6 digit PIN, so some people might need that 6 digit PIN, but the vast majority of people don’t.

I don’t remember how I ended doing it but it was discussed here
Maybe using something like this run.in · main · World / Phosh / phosh · GitLab