Carl Hartung wrote:
Encouraging insecure practices is not a successful competitive strategy because it moves you farther away from the goal instead of closer to it.
When you see this as being insecure, what about GRUB not being password protected by default? init=/bin/bash gave me immediate access to the system last time I tried. Once you are at it, you should also require people to secure their BIOS with a password and deactivate booting from removable media/network. Because both methods will give an attacker full access without having to use a screwdriver (those are another matter). If (and only if) the user has adequately secured both his BIOS and his boot loader he can start worrying about auto login, which does _not_ give you full control over the system, in contrast to the other two. I think that it is safe to assume that every user that secures his BIOS and boot loader is also clever enough to turn off auto login. Regards nordi