Recommended length of Linux user account password

How many words is linux user account password in diceware?

I’m not sure it really matters.

Your disk encryption password is the important once. Once that’s decrypted, the Linux password doesn’t add much additional security to anything. I wouldn’t make it trivial, but neither would I drop a huge amount of effort into the Linux password either.

1 Like

Assuming “Linux user account password” is referring to the dom0 user account: Well, it’s used for the screen locker by default, so it still matters, but how much it matters to you depends entirely on your threat model.

1 Like

depends on many times you use it and how important it is.
Personally my luks password is at least 30 words with many special characters.
my root password is like 123456.
it all depends of your threat model.
strong root password is good in servers and anything where many users access the system on user level. If you’re the only one using the system i think it’s less important. especially if the system is isolated from network .

@kzlz Note that the strenght of a diceware passphrase depends on the size of the list that’s used to generate it. The longer the list, the fewer words you need to achieve a given strenght goal. There is trade-off, of course: because there are only so many meaningful words in any given language, when the list becomes longer, the words become harder to remember, to type etc.

So in order to reply to your question, I’d suggest you start by setting yourself a strenght goal (for example: 77 bits of entropy—that’s just an example). That will depend on your threat model: what you’re trying to protect, from whom, how much time they’ll have to unlock your laptop, how long each try will take them, what are the consequences if they succeed…

Note that most strenght recommendations are made for web services (including the 77 bit example in the link below), your use case is somewhat different because an attacker would
likely not have permanent access to your laptop as is typically the case for web services. Also, the screensaver includes delays to slow down attacks, etc.

Once you’ve defined how strong you want the passpharse to be, you can look at different lists and see what the passphase would look like. You may find that you prefer typing more shorter words, or a smaller number of longer words, or that you don’t mind meaningless words if there is only a few of them! It is really about finding the list that works for you.

I find that this article by the Electronic Frontier Foundation makes a good job at explaining how strenght and size of the list relate in an accessible way. (And I personally find their lists well-designed!)