got a root password to forget?

so then what is the point of having a password in the first place if hacking it is easier than hacking that "other" OS that starts with a "win" and ends with a "dows"

Anyone with physical access to your computer owns all of your unencrypted data, whether you run Linux or Windows. Encrypt your data and/or store it on a server in a secure location, if you are concerned.

Think of your password like the seatbelt in your car. It will protect you from injury in a minor accident, but it won't help if you drive off a cliff. In other words, always buckle up, but don't get a false sense of invincibility!

I remember back when NT4 came out, the NSA (National Security Agency - US) did a security analysis of NT, and basically, the conclusion they came to was that if the machine had no external connections (mouse, keyboard, monitor, printer), no power, was locked up and locked down (so it could not be physically moved), then it would be safe!

Windows XP is what, NT5.1?

i have used ophcrack several times for "observation" reasons [looks innocent]

but with windows you actually have to download a cracking program and wait a few minutes.
With linux all i have to do is type 1 command and I am god.

Ths seems worse than winblows.

rigosantana3: well... you can always password protect GRUB: http://www.gnu.org/software/grub/manual … urity.html

Edit: just noticed johnraff also had posted a link to the same site

Last edited by cut_copy (2009-07-16 22:45:26)

It applies to both Windows and Linux, but look up Konboot: http://www.piotrbania.com/all/kon-boot. It can boot up without a password on Windows and Linux.

The way people make up passwords even Cain & Able used on Windows with a pulled hard drive usually gets a password off of any Windows machine also.

I just installed #! (I like that name!). on a machine for someone else.  So I made up username and password. Then I promptly forgot what the username was, and wasn't sure of the password. I followed the directions above to the "T", but when it got to the point of booting into a root (single user mode) I got instead a requirement to enter the root password, (which of course is what I had forgotten).  Nothing that I could do would change that. 

I'm using crunchbang 9.04 on a Pentium 3 class laptop. Maybe they have changed that behavior in recent editions of Ubuntu.

What I did to get back in: I booted from the CD with DSL-N. in a terminal - mounted the partiton where crunchbang resides and went to /home. ls -l told me what the username was. Then I only had to try what I thought the password might be until I got it right. Not to difficult since I am the one who had set it just a short while before.  But it would have been pretty daunting for someone who had no knowledge of it.

Even so, as many have commented, no data is safe (unless it is encrypted?) once a hacker has your computer in his/her hands.

Many people have commented on encryption, but I have never heard of practical encryption that cannot be broken with a brute force attack given the time to do so. Even the people behind openssh say that a remote computer could see all of the data transmitted merely that by the time the data was decrypted it would be useless (Which seems a bit of an assumption to me...).

Also, there are ways to get away from the risk of grub giving away a root password at boot. First off not every kernel has a single user mode compiled in, you could always compile one without one. Second, grub isn't the only bootloader in existence. I cannot recall Lilo giving me the opportunity to set things at boot (though I may just be missing the option) and I don't recall System Commander 2000 doing it either (Though I haven't used it in some time).

The point is, data on a computer is by it's intrinsic nature very insecure, however the security that Linux even in it's least secure state is leaps and bounds above what the average user needs. If one really wants to keep data secure there are only two options that I can really think of, and that is a one-time pad, which is rarely practical or to use security thorough obscurity.

One-time pads are still somewhat vulnerable if one accurately guesses what part of the message must say (Which isn't as hard as it sounds) and the only security through obscurity I would trust is something unique. I have yet to meet someone who can crack a unique conlang that is a priori. It is doubtful any computer could brute force attack something like that either due to the ambiguous nature of language. Obviously a conlang would only be useful in the context of computer security only if the entire os was written using that langauge (From scratch, someone could figure out know linux/unix/dos,etc commands via a brute force attack) or if the documents that needed to be secured were actual paper documents (which is what I do).

My point is, security is more or less an illusion created to sell computers. The only 100% secure data is data that is never stored on any medium.