Do I need strong user password for an encrypted VM?



  • I've just imported Whonix VirtualBox VM, and have encrypted its drive via VirtualBox settings. Now when I booted it, the default credentials are "user/changeme", and setup suggests I change the password. I am not sure if I need to change the defaults.

    If the VM itself is already encrypted, does setting complex user passwords make the system any more secure? I am the sole user of this computer, I only care if someone uses it in my absence.



  • What you are asking for is a risk assessment. A strong password protects you from something. You want to know if you need to be protected at all. We can't know all the possible threats against your system, but the risk model is easy to discuss.

    Default credentials are like not having a password at all. So, if you start from that point, what impacts might there be if you didn't have a password?

    • someone with access to your machine could log in easily and gain access to whatever that user has access to - but if there is nothing of value, then your risk is minimal
    • if you set up remote access, then any remote user would have easier access to the VM - but if there is no remote access, then there is no risk

    Strong security is always great, but security secures against a threat. If there is no threat, then there is no need for controls to mitigate that threat.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2