Ian’s Thoughts: canonical-advocates-insecure-practices
Ian talks about how insecure it is to have a root account. That it is the first account targeted. This is so wrong on many levels. It’s just as insecure as running root. You can trick the user into revealing passwords through having them use su or sudo. It doesn’t really matter, sudo is just quicker and seems friendly. It’s used to cater to those dumbasses having trouble switching from windows who hate typing commands.
Another problem: if you don’t have a root account setup it makes it even easier to hijack because they don’t have to guess a null password. They simply enable it using the same instructions and you’re completely locked out…. What happens when the user id is easily guessable? Like the username “oracle” which hits my ssh logs all the time. Then it’s easy pickings if the common user name apporach works. They won’t have to hijack root, just sudo and they already know the users password 
Never heard of RHEL? Red Hat Enterprise Linux with it’s government security certification? Guess what? Root enabled…. In fact no qualified security expert will advise AGAINST having a root account enabled. In fact they will argue against using sudo in the first place.
