How to choose a root password that you’ll remember

Root passwords and Administrator passwords: Too simple, and you expose the security of the whole machine. Too complex and (if you’re like me) you forget them. With the number of passwords we all need to retain now, what do you do?

A greybeard Unix admin once let me in on the answer to that question, and I’m going to tell you now.

Start with a three word pattern. Anything that a peurile mind like mine will retain. For example, let’s use the phrase Peet’s Coffee and Tea. Bin the and, so you have:

Peets Coffee Tea

Get the first two characters of each word and bung them together, and you get:

PeCoTe

Add some other characters to your mental password generator, like this:

PeCoTe1!

Exactly how you transform a phrase into a password is up to you, and should be kept secret. Sharing a new password then becomes easy because you can verbally give your colleagues a phrase that they can remember:

“Hey Bob, I changed the root password”

“Yeah”?

“Yeah, it’s not the coffee one, it’s Zombie Flesh Eaters”.

“Right”.

Job done. I once had to disclose a password to a man that had been the subject of an uncomplimentary three letter phrase. That wasn’t good. Try to keep it impersonal.


5 thoughts on “How to choose a root password that you’ll remember

  1. That seems a bit retro, like you’ve got a limited number of characters for your password. Why not “PeetsCoffeeTea1!“?

  2. Ken Mayer says:

    I respectfully disagree with the premise.

    No one should ever use “root” for anything except single-user mode emergencies and initial configuration. Make it a long string of random characters and store it in a safe or encrypted on a secure hard drive. Make it unique for every box. Then forget about it.

    Use sudo instead. Leaving sudo’s arcane configuration syntax aside for the moment, using sudo means every action is logged with a real person’s name and a time stamp. Another good reason: you don’t have to change the root password if someone quits or is fired.

    Use a password vault (like 1Password for the Mac — there are many others). Make every single password unique, long and as random as possible. Then make your master password really hard to guess, but easy to remember (the first letter of each word from a long sentence, FIPS standards, two random words glued together by a figure or gliph, the suggestions here). And just in case you’re run down by the Budweiser Beer Wagon one day, write it down and put it in a locked safe — to be opened when you are beyond caring.

  3. […] comment from Ken Mayer on my post about root passwords: No one should ever use “root” for anything except single-user mode emergencies and initial […]

  4. simpsonjulian says:

    @ken – I did penance and wrote a new post.
    @jtf – fair point – although it does remind me of the passwords that compuserve would hand out with their free floppy disks in the 90s. Maybe I was the only one to actually use those …

  5. Steve Robb says:

    My team has been using Secret Server for a while now.

    It is designed for sysadmin teams – basically a web-based password vault with permissions, etc but can also test and actually change passwords for you.
    http://www.thycotic.com

    We have it randomizing our root passwords on a schedule. We also dabbled with the checkout where it changes the root password 30 minutes after you use it.

Comments are closed.

%d bloggers like this: