2

If I use only a computer, can I disable the password when I log in? That is, the user account has a password, but in the settings I turn on autologin:

/etc/lightdm/lightdm.conf

[Seat:*]
autologin-user=user
autologin-user-timeout=0

Is this an Internet attack vulnerability?

secmost
  • 21
  • 1
  • 1
    You mean if you are the only user of the computer? – elsadek Jul 04 '20 at 12:04
  • 4
    I think we're missing a lot of detail here. How do you access it? What type of user account? How are you logging in? Is it connected to the Internet? Can you expand on the question? – schroeder Jul 04 '20 at 12:11
  • 2
    Also, what do you use your computer for? Watching Netflix? Developing software for a fortune 500 company? Selling illegal drugs on the dark web? Storing nuclear launch codes? – Conor Mancone Jul 04 '20 at 12:20
  • > You mean if you are the only user of the computer? Yes. > I think we're missing a lot of detail here. How do you access it? What type of user account? How are you logging in? Is it connected to the Internet? Can you expand on the question? I have two accounts: user and root. I always work under a user account. I wanted to do auto-login only when running Debian (xfce / lightdm) – secmost Jul 04 '20 at 13:04
  • https://security.stackexchange.com/help/merging-accounts – Joseph Sible-Reinstate Monica Jul 04 '20 at 13:22
  • @secmost It's dead simple: Do you think it's reasonable that someone will have physical access to your computer? Or asked the other way around: Do you think having a password will likely keep someone out? –  Jul 04 '20 at 18:49
  • @MechMK1 I think that if someone has physical access to the computer, entering a password when entering from the display manager (for example, LightDM) will not protect him when entering the system. Then why not use an autologin? This is exactly the autologin in LightDM, and not the lack of an account password – secmost Jul 05 '20 at 02:50

2 Answers2

1

When considering If auto login is a risk we must first know the use for the machine.

Like when it’s a public machine having that autologin is not really a problem if sufficient safeguards are put in place to prevent abuse. Think of machines like kiosk or ATM’s or other public service machines.

When we are talking about a personal machine it depends on the use. If it’s for someone that can not be expected to enter a password it could be ok to have that autologin. (Think users like people with memory issues / dementia or users that are really old / need some sort of assistive technology, like poor eyesight /blind or mobile limited / in a wheelchair). In such cases alternative safeguards are needed to protect the user and system because since a password is not an option.

If it’s for a normal person without limitations in use of the machine, the risks of autologin are far greater than the benefit it offers. If easy of login is wanted you could consider using a login stick instead of a login password (like a yubikey Or alike).

If the machine is mobile no password is a no go (imho) same goes for encryption of the disk (I consider that a must have). These things are impossible to combine with a auto login.

As always first consider what someone could do with the additional permissions (no login in this case) that you think are unwanted or a risk. Than consider the “cost” of having the feature in place, not just the cost in money but also the cost in time and effort. Security is a game of having the most gains while keeping effort reasonable.

LvB
  • 8,217
  • 1
  • 26
  • 43
-1

Auto login is typically a bad move, mostly from a physical security standpoint. If you have other services running which use your user account, that could also open it up to attacks, however a lot of services will refuse to allow logins from passwordless accounts unless you specifically allow it. (Edit: but you said you had a password still, disregard) If the computer is in a locked office in your house behind an internet router / firewall you should be relatively safe from internet attacks.

Prunes
  • 1
  • 1
  • The question asks about attacks over the Internet with autologin turned on. This only mentions two irrelevant things: a blank password (not necessary for autologin), and local attacks (not what's being asked about). – Joseph Sible-Reinstate Monica Jul 04 '20 at 13:24
  • So the correct response I should have given him is just "No"... – Prunes Jul 04 '20 at 13:48