Quote from hexparrot
Great response...yes, because you have not been successfully hacked by a group of idiots therefore, bad practice is not bad practice. Look at the entire server world: lighttpd, apache, msyql--what do you notice between all these services?
They all tell you to be run as an unprivileged user. ALL OF THEM.
Why? Because regardless of whether youre being 'targetted by a hacker group' (and god knows how you could have created that much bad blood)--0% threat is better than .01%. And a service like apache that gets compromised will only yield the permissions the apache user has. Likewise, a server like minecraft will only yield the permissions THAT user has.
It requires NO effort to give minecraft its own unprivileged user, and good practice is good practice no matter what.
"My security has been very well audited. The root password is 24 random letters and numbers."
I call that an 'idiot' password. You want to make a login 'unlikely'? Use a 24 'RANDOM' letters and numbers....and make it god damn difficult for you to login. You want to make it 'pretty much impossible?' learn what RSA-KEY logins are.
I'm proud of you and your impenetrable, high-significance server and your many conquered virtual enemies.
You are so right... even xkcd makes that same established point.