DO Ideas 2

Redesign how to handle root password

I suggest to redesign it entirely rather than patching on top of the broken model.

I just added SSH keys, and created a new droplet with them, then I didn't receive the email with the root password.

I asked the support and they told me that it won't send root password by email when the droplet is set up with SSH keys.

This inconsistency is no good for multiple reasons:

1. It made me wonder if it was a bug or the email was lost. There was no chance I was able to learn adding SSH key would change the behavior. It's a major user expectation failure.
2. You can lose SSH keys pretty easily. Laptops can be stolen, disks can crash, you can clean install OSX, or just buy a new machine. Now you have to "reset root password" because you never received one. That requires reboot, which is risky and unnecessary. Your personal problem (lost laptop) shouldn't affect overall server uptime, it is unexplainable to managers or investors.

For above reasons, I suggest:

1. Make it consistent = keep sending password by email. I know some people oppose to sending password by email, but if this is your reaction to that, you're doing it wrong. Don't add optional behavior like this, it will only create more exploit points for attackers - complexity is the worst enemy of security. https://www.schneier.com/blog/archives/2013/01/complexity_and.html
2. Allow setting your own password when creating a droplet. (which Linode does)
3. Allow password reset without reboot.

  • Kenn Ejima
  • Sep 11 2018
  • Attach files
  • Matt Williams commented
    September 11, 2018 17:41

    Don't select an SSH key, and then add yours manually later?..........mountain out of mole hills....

  • Teshoo Lama commented
    September 11, 2018 17:41

    They way DO have it configured currently is perfect.