On Wed, Apr 09, 2025 at 09:34:08 -0400, Jeffrey Walton wrote: > Disabling root logins by default is especially important when a > network attacker can use the login, like via SSH. The network attacker > is usually your #1 threat,
There may be systems where this is true; for example, a public web server. On the vast majority of desktop systems, however, the #1 threat is probably one of these: * Malicious code executed within a web browser by an ad, or a web page, or something the user clicks in a spam email. * Social engineering attacks in which the user is tricked into giving information to a malicious party (phishing email, etc.). <https://xkcd.com/1200/> is pertinent here. An infiltration of the root account is bad, but mostly because of what it lets the attacker do *afterward*. They may install a key logger, or packet sniffer, or something along those lines, which gives them the user's personal data or secret credentials, which they can then use for their actual attack, which might be identity theft, regular old theft, etc.
