1

I've just imported Whonix VirtualBox VM, and have encrypted its drive via VirtualBox settings. Now when I booted it, the default credentials are "user/changeme", and setup suggests I change the password. I am not sure if I need to change the defaults.

If the VM itself is already encrypted, does setting complex user passwords make the system any more secure? I am the sole user of this computer, I only care if someone uses it in my absence.

Uprooted
  • 121
  • 4

1 Answers1

2

What you are asking for is a risk assessment. A strong password protects you from something. You want to know if you need to be protected at all. We can't know all the possible threats against your system, but the risk model is easy to discuss.

Default credentials are like not having a password at all. So, if you start from that point, what impacts might there be if you didn't have a password?

  • someone with access to your machine could log in easily and gain access to whatever that user has access to - but if there is nothing of value, then your risk is minimal
  • if you set up remote access, then any remote user would have easier access to the VM - but if there is no remote access, then there is no risk

Strong security is always great, but security secures against a threat. If there is no threat, then there is no need for controls to mitigate that threat.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • VM encryption protects from logging into it in my absense and I don't need remote access – Uprooted May 12 '21 at 12:24
  • Unless the VM password is compromised, then having a strong user password gives you defense-in-depth. But again, that's only valuable if there is something to protect. – schroeder May 12 '21 at 12:25
  • If VM password is compromised, then its drive can be decrypted and mounted, and then user/root passwords can be reset by editing /etc/shadow. IMO there's no added security in strong user password. – Uprooted May 12 '21 at 12:31