This highly depends on the situation but I feel that both can be secure as each other. Some things you might want to note:

* Kubuntu is designed to work with a locked root account - all the guides are written for it
* Most automated scripts on the internet tend to attack weak password on the root account (otherwise they have to guess the username which is harder to do) - but this is moot if you are behind a firewall/router.
* If you share user accounts then you need a separate administrator account anyway to stop other users doing things they shouldn't.
* You can cause allot of damage if you do the wrong thing while logged in as root (or if you run everything with sudo even if you don't need to)

Personally I like to use sudo and keep the root account locked that way I don't need to remember two different passwords (or remember to update both when I change them).

Yes I know Kubuntu is designed to work with a locked Root account. I also know the amount of damage you can do should you use the root account as a normal account, but are you saying you can't do the same amount of damage using your sudo enabled account?

I was asking which in your opinion was more secure? Or are they both as secure as each other?

I don't think one way is more secure than the other in terms of "security" as opposed to safety. A password is only as strong as it's creator. If you're in the habit of writing down your password and leave it laying about, it's no good at all. If you follow the "strong" password rules then you're as safe as that portion of your system can be.

I'm not even convinced that sudo vs. su is any safer, it just imposes a layer of one additional step to most actions that requires you to enter your password once again every so often. Even this can be easily changed by those inclined to do so.

My previous primary distro did it the other way (root account enabled by default, sudo disabled). I will say I trashed that install way more often than this one, but more likely that was lack of knowledge rather than the place I had to enter a password. It's really more of a philosophy than a real substantive change.

I can see a proper place for both environments. If you allow others (the wife, business partner, kids) to use your computer while you're logged on, I'd disable sudo. Otherwise, set it up whichever way you prefer. Although James' point about the guide is well taken, I suspect if you're savvy enough to close sudo and setup your root account you'll understand if differences when reading a HowTo.

I suspect the only valid reason to not enable root is this one, also from James:

Another benefit from sudo is that it encourages people to mostly do their work as a "normal" user and only do "privileged" operations as needed. Whereas, with su it is normal for people to start up a shell as root and remain in that mode for extended periods of time. When in a root shell, it is easy to for a user to forget that they are privileged and do some unintended damage. A user can do considerable damage in either "su" or "sudo". But in my experience, fewer "accidents" occur with "sudo".

I would not classify this as "authentication" security. Rather, it's more security against "stupidity".

I will second the thoughts that one is not better or worse than the other. The real thing is whether or not there is any reason to switch from one to the other.

to reiterate some points:
1) With sudo, an external 'hacker" needs to discover not only the password, but the username as well.
2) Look at some problems that crop up when users have enabled the root account in sudo centric distros

However
1) The permissions problems that crop up when running gui programs with sudo instead of kdesudo/gksudo. Now, 99 % of these shouldn't be run with admin privileges to begin with, but we all know how that works out
2) Sudo has a (configurable) time out where the password is cached in the desktop session (terminal instances' timeout are separate, and unique to each instance iirc)


The real question is, again, why change the thing, what is broken about how it works? That is what the criteria for one or the other lies.
You will find the vast majority here will tell you sudo is fine. A lot of that stems from actual experience as opposed to any bias or wish to stifle differences.

You can do just as much damage with sudo, since they can both do the same things, but I find that if you use sudo you spend less time running in a root shell and so are less likely to accentually rm -rf * a system folder as root if you forget which directory you are in.

On those distributions that have a root account I use a randomly generated 8 digit password. It uses any character on the keyboard. I'm informed that this is reasonably secure outside of governments and large corporations.

I am fine with sudo but...the constant typing of a pw can be a pain, but it's worth the security, and it can also tempt users to create short and easy passwords, knowing that they will have to enter it a lot. I also find maintaining a separate root account can also be a pain and a headache. Overall, I think it's better to be root only when you need to be. I do have one gripe, when using a distro's software 'shopping' app, most of them require a pw for EVERY new install, this is just ridiculous, makes me switch back to or install synaptic, your pw goes in one time until you are done, no muss, no fuss.

An eight-character keyspace is crackable in a reasonable amount of time with contemporary computer hardware. Sophisticated cracking routines look for weaknesses in the intermediate steps used in generating hashes; brute-force routines simply try the entire space as represented by rainbow tables. It is now possible to rent sufficient computing power and storage by the hour to attempt both kinds of cracking.

For these reasons, length is always better than complexity. Every character you add to a password exponentially increases its durability. Wherever possible, I now recommend using three average-sized native language words separated by some piece of punctuation. This has two benefits: it thwarts precomputed rainbow tables and it's too large of a keyspace to work through in algorithmic attacks.

I believe these are appropriate:

Password strength
Password reuse
Security

Of course you need to be a target also. But I appreciate the heads up.

Reminds me also that there are limits to the number of characters for some situations. I remember a distro that would allow a bunch of characters, but would only use the first 6.

I'm not a fan of sudo. I like to be able to open a terminal and run as root for updates ect... the timeout of sudo usually requires entering the password more then once per session. I think sudo is mainly designed to protect us from ourselves. I know the length of time or user could be modified but its something that could be addressed during setup IMHO.

You mean like Sudo can do everything su can and more...

Yes james147 but thats already 5 more chars then su <enter>
Like I said my preference. Then there are issues with scripts launching processes as su that have to be tweaked to repect sudo. Not looking to debate the security merits of sudo. But I would prefer to have a choice at setup. Would a choice not be acceptable?