Anything requiring sudo or su is not enough: too easy to just take the habit to type the password very fast.
What I've found that works is using the command "lockout" with some weird modification of the sudoers file in order to allow only certain commands with sudo (or other commands with only certain arguments not matching forbidden patterns).
It doesn't stop it in the moment, but logging the date to ~/.procrasts does provide at least some after-the-fact accountability. I think a lighterweight initial approach is good, and, if logging reveals that it's abused, then one can move to harder-to-circumvent solutions.
Another approach is to block the websites in your router settings and to make that password very long, assuming you don't need to access it as often as sudo.
I actually built a password manager for myself that charges me $$ every time I want to access an addictive site (addictionlocker.com) literally because I'd do just this.
What I've found that works is using the command "lockout" with some weird modification of the sudoers file in order to allow only certain commands with sudo (or other commands with only certain arguments not matching forbidden patterns).