Specifically, if someone knows my sudo password, can they get my internet password from my browser?
Asked
Active
Viewed 222 times
0
-
1That depends on a lot of things. Does the attacker have unsupervised physical access to the computer on which the password grants super-user access? Does the computer store the password or any other access tokens to the e-mail account? Does the computer store access tokens to external resources that (indirectly) store the e-mail account password? Is the password to the e-mail account similar or identical to the super-user password? – David Foerster Sep 13 '17 at 20:33
1 Answers
2
First of all, the sudo password is the normal account password of an admin user of your computer. It can be used to log in to your account and to get root permissions i.e. full access to the whole system from there.
What is necessary to use the password though is any kind of access that allows you to log in on your machine. This is e.g. physical access (but there is no real defence against an attacker with physical access anyway, see e.g. How to secure my laptop so that hacking by physical access is not possible?) but also SSH or Remote Desktop, if that is enabled and reachable over network. Also keep in mind that there always might be some unknown and unpatched vulnerabilities that could be exploited.
Now, how to get from system access (which is already pretty bad) to email? If your email account credentials are stored anywhere on your computer in unencrypted form (e.g. Firefox/Thunderbird standard password manager without master-password) or encrypted with your account password (e.g. Chrome stores its passwords in your user account's login keyring), they are readable by someone with access to your user account. Also if you use a mail program like Thunderbird which saves local copies of your emails, these will be accessible too.
Other than that, unfortunately most people (no idea to what extent this applies to you) often reuse the same or similar passwords for different things. If your local Ubuntu user account password is equal or similar to your email account password, someone might have the idea to try it. Even if they are not too similar, knowing one of your passwords might give hints on your personal password invention technique, which could improve chances of targeted intelligent brute-force or dictionary attacks.
Conclusion
Your sudo/user password is a local password, which is only useful for those with access to your machine that allows them to log in. So if your system is otherwise well secured, a random stranger with no other identifying information about you can't do much with it.
However, passwords in general should be treated sensitive, especially because humans often use similar passwords or schemes to create them.
Byte Commander
- 107,489