Today's article has us going to infinity and beyond!

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,499
Reaction score
9,996
Credits
95,342
Why yes, I have seen one of the Toy Story movies.

Anyhow, nothing is really infinite (according to our current observations), so you can't really have an infinite Bash history. Long before the heat death of the universe, you'll run out of disk space. But, you can have a really big Bash history because it's just plain text and doesn't take up much space.

So, it's not technically infinite - but the setting you're using is considered to make it infinite. Don't worry, it's remarkably easy.


And, yes, I do want infinite Bash history. If it's a brand new install, you can bet that I'm going through my backups and copying my Bash history to the new device. That's where I store all the good stuff! I even copy my Bash history to other computers that aren't new - though I do that less often and actually merge them and remove any duplicates.
 


Before you run off and just do it, think about whether you really want an unlimited history or log file. If an attacker gets into your account, they may look at your .bash_history file to see if you accidentally typed your password at the wrong prompt.

Those file limits are there for various reasons, and they may not always be about data storage overconsumption. Think about it when you change the settings or simply blow through them like stunt cars through walls.

Recently I typed a password at the wrong prompt accidentally. I cleaned up a log file. It wasn't captured in a backup, so that was as far as it went. No big deal.

Yeah, I know most people do not bother. It is not worth arguing here. This thread is about changing the bash history limits.
 
I humbly disagree...

If an attacker has access to your ~/.bash_history, they probably don't actually need your passwords.

Keeping a shorter history does mean there's less time, but we have no idea when this alleged hacker had access. I'm not seeing that as much of a security issue.

So, I really can't think of a good reason for me to worry about it. If anyone has unmonitored physical access to your device, you've already ceded control to them and they won't need your password.

Also, don't type your password unless you really mean to. That'll solve that aspect. Only enter your password when you both expect to and the computer prompts you to do so. (If it randomly starts asking you for a password when you aren't expecting to enter a password, you probably ought to have a look around before entering your password.)
 
The issue isn't the compromised system. I agree - the attacker is already there. It is about how the new stolen information can be used. Now the attacker knows the plaintext password to try elsewhere. It should be apparent how such information can be used for evil ... or good.

How many people do you know who use the same password on their computer and their phone and their Facebook account? There have been real incidents where these and similar techniques were used to recover essential information. (Example for good: There is a contract dispute with an IT consultant. The consultant walks out with the passwords and is non-responsive. What next?)

There is no right answer here, and I tried to say that in my first reply above. That's the problem with security discussions. It is about reducing risk to an acceptable level at an acceptable cost, not complete prevention. What is "acceptable" depends on many factors including personal risk tolerance.

(Example: Good dental care reduces your risk of tooth decay and cavities, but it does not eliminate them. You could reduce your risk of cavities by having a dental hygienist clean your teeth after every meal, but the extra risk reduction you achieve may not be worth the time, effort, or cost over the regular dental care that normal people do.)
 
Now the attacker knows the plaintext password to try elsewhere.

If they're using the same password everywhere, an attacker's going to go that route rather than breaking into random Linux systems by an unknown exploit.

There is no right answer here, and I tried to say that in my first reply above.

But, yes, do what you want. I just wanted to make sure there was a response to your post that went into some detail.

Though this does make me think of a nice easy article to write - about some basic security steps folks can take, such as not using the same password for different things. That and stuff like not typing your password out in places you shouldn't and at times when you shouldn't.

On the other hand, there are accounts that I don't care about where I literally use 'password' as the password. They're sites I don't care about and won't have any personal information attached to them - nor will there be ways people can use them to impersonate me. Other times, I just use random-ish gibberish and use 'forgot my password' as my password manager.
 

Members online


Latest posts

Top