First things first, let’s get some great passwords setup for our root and custom user.
None of this 12-character, numbers and letter nonsense… we want 64-character monster passwords that God can’t even remember.
Of course I strongly suggest adopting a password manager (like Bitwarden) to help you manage these as manually typing them in will be a nightmare.
Important: Password wallets are amazing, but can also become a single point of failure in your security effort if you don’t secure the wallet itself with a sufficiently complex password.
Don’t go through all the work of generating huge passwords and storing them, only to lock down the Password wallet with “password123“.
Be sure to make the wallet password some long passphrase, like “My favorite time when I was a kid was swimming in the lake“.
And also NEVER access/unlock your wallet from a compute environment you don’t trust (i.e. on a public computer).
Generating a new password
If you are using Bitwarden, LastPass or some other password wallet, they have password generators built in.
If you aren’t using them, you can try a simple online one like this one.
The most important setting for the password you are trying to generate is the Length – you’ll want something 32+ characters in length. Beyond that, enabling numeric and special characters is also a good idea.
Using Bitwarden, this is an example of the settings I’m using:
Setting new passwords
Now that we know how to generate new/monster passwords, let’s update our root and non-root account with them.
First, login to your server (if you aren’t already) as your non-root user.
Tip: If you have been following the guide up to here, it should be impossible for you to login remotely as root anyway.
Setting non-root user password
Now, using the passwd command, we will get prompted to enter our current password (to make sure it’s us) and then our new password… twice!
$ passwd
Changing password for rkalla.
Current password:
New password:
Retype new password:
passwd: password updated successfullyYou’ll notice the old and new passwords are never echo’ed back to the terminal, so you don’t see anything being entered or confirmed as you type the passwords.
After you are done, leaving your current terminal connected, open a new terminal window and attempt to connect to your server with the same non-root user and your new password.
Tip: We are leaving the current session connected instead of disconnecting and immediately trying to connect with our new password just in case we got something wrong and may end up locking ourselves out of the machine.
Staying connected with the current terminal is an insurance policy against misconfiguration locking ourselves out.
Once you have confirmed that your password has been successfully changed, go ahead and stay logged in on the new terminal and logout the old session where you began.
Setting the root user password
Now we want to use passwd to change the password for the root user.
First, log into the root account using su, like so:
$ su -
Password:Again, you won’t see the root password when you type it in.
After hitting enter, you can confirm you are logged in as root using the whoami command:
$ whoami
rootGood, we are in the right account context, so just use the command like we did above for the non-root user:
# passwd
New password:
Retype new password:
passwd: password updated successfullyNice, the password is updated!
It might be a good idea to leave this terminal open, open another one and try and login to root account again with the new password to make sure you captured it correctly.
Important: Remember to store these passwords someplace secure; printed and stored offline in a safe, on cold/air-gapped storage, in a special digital wallet just for your server, etc.
Alright, now your most critical accounts on your server (root and your non-root account that – that may be in the sudo group) have strong passwords set on them.
You are one step closer to sleeping better at night!