Forgot your password?
typodupeerror
Security Red Hat Software Linux

Fedora 19 To Stop Masking Passwords 234

Posted by timothy
from the dot-dot-dot-dot dept.
First time accepted submitter PAjamian writes "Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer. Following on the now recanted statements of security expert Bruce Schneier, Anaconda maintainers have decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19. Members of the Fedora community on the Fedora devel mailing list are showing great concern over this change in established security protocols." Note: the change was first reported in the linked thread by Dan Mashal.
This discussion has been archived. No new comments can be posted.

Fedora 19 To Stop Masking Passwords

Comments Filter:
  • by gweihir (88907) on Saturday May 04, 2013 @08:33AM (#43628701)

    ... thinking they know what is best for everybody. Same stupid story again and again. A button or hot-key for those that want to see their passwords would be acceptable, but making it the default is not.

    • by hedwards (940851) on Saturday May 04, 2013 @08:46AM (#43628765)

      During the install process you're probably alone. I can't recall ever having done an install at the local coffee shop or on the bus. And during the install process is a good time to actually see the password.

      The rest of the time though, it should be a hotkey as there's no point in masking the password if there's nobody in the room with you, I suppose there might be cameras, but if you're in public you should be assuming that somebody is looking over your shoulder. Even TrueCrypt offers the ability to unmask the passphrase if you wish.

      • by Kjella (173770) on Saturday May 04, 2013 @09:09AM (#43628875) Homepage

        As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext and I'd consider anything else an obvious bug. It doesn't really matter that in this particular case you almost certainly don't need that protection, it breaks the whole user expectation for password fields in general. It's like if your car would detect there is no traffic so there's no point in blinking the turn signal because nobody would see it, in practice I'd just think my turn lights are broken not that it was "smart". And there's a lot of hand-waving to justify this complicating simplification.

      • by NemosomeN (670035) on Saturday May 04, 2013 @09:55AM (#43629151) Journal
        Why assign a hotkey to such a rare task? Make it a checkbox, two tabs away from the password field. Default: Mask the damn password.
        • by hedwards (940851)

          There's little or no point in masking the password. Unless you're choosing stupid passwords or having a huge number of chances to guess the password it's not going to make much of a difference. With a properly 10-20 character password that's actually mostly random people are not going to guess that based upon seeing it one time. At least not without them having some sort of savant ability to memorize random strings of characters.

          Checkbox or hotkey doesn't really make much difference, either way it should be

          • Wanna bet? I have inadvertedly trained myself to have photographic memory because I have had to type in manually thousands of service request numbers (which also contain letters, dashes) from screenshots or other machines. I can easily remember a 20-character string if I look at it for exactly as much time as you need to type it in, for enough time to allow me to write it down.

            • by hedwards (940851)

              I'm sorry, but that is not a common ability that you're likely to encounter in the workforce. And generally service numbers aren't random anyways. They may appear to be random, but they're not, usually they're designed around a scheme that's only meaningful to people who use those numbers on a regular basis.

          • by Immerman (2627577)

            Except we're living in a world where almost everyone has a discrete camera built into their cell phone, and we may have to deal with things like Google Glass, of which later versions will no doubt become increasingly discrete.

          • by BitZtream (692029)

            Those of us who don't jerk off to how longer our passwords are, don't use 10 digit passwords.

            I say this as someone who has written more cryptography software than you've even used.

            10 digit passwords are fucking stupid. I'll just bash your head in rather than trying to brute force your password. I assure you, you will give it up FAR faster than anyone can brute force it. Same is true with 6-9 character passwords. I'll have found you and bashed your head in years before the password would be brute forced.

      • by Stalks (802193) * on Saturday May 04, 2013 @10:53AM (#43629481)

        -- "if there's nobody in the room with you"

        That's an assumption. You don't know what other people are doing. You are basing an installer used by thousands on your own experiences. You're making the same mistake as the developers are.

        Plenty of times I have worked in the datacenter with other engineers from other companies doing installs all around me. I don't want them to see the password, thanks.

      • by Znork (31774) on Saturday May 04, 2013 @11:58AM (#43629871)

        I assume you have yet to find employment in todays average workplace?

        Because corporate offices and many small company offices are notoriously lacking in privacy and the only time there's 'nobody in the room with you' is if you're doing your installations on christmas eve.

        Having the (Fedoras) install process work different than basically everything else is a bad choice in itself. And changing everything else would be utter idiocy; there are many cases like classes, presentations, user assistance, etc, etc when passwords are entered with observers watching the screen. One would basically have to move to one-time passwords to bypass the issue.

        Needlessly displaying passwords without significant compelling reasons is simply atrociously bad design. The only time it is ever even remotely justified in common practice is when very, very bad input devices make it difficult to know which character actually got entered.

      • Is double-typing the password blind not enough? Even then, showing the password in plain view should be purely an option.

        If you still have to type their passwords twice even if they are in plain view, there will still be problems with people making typos and just copy-pasting them to the second field without noticing (especially with longer and more complex passwords). Even if not everyone uses the copy-paste method, people will still possibly make a typo in one or both password entry fields... again, usi

    • A button or hot-key for those that want to see their passwords would be acceptable [...]

      Exactly. And easy to implement. We just have to find a key on the keyboard that people are unlikely to use but is always present. How about this "CapsLk" one?

      • by HisMother (413313)
        That's an interesting idea. Everybody already warns if you have capslock on while entering a password. They could just change the warning to "Your password will be displayed in plaintext," and ignore the actual capslock (assuming that's possible.)
      • by KiloByte (825081)

        Some of us actually use CapsLock to invert the case of part of the password. I'd scream loudly if you sabotaged it. I've had the displeasure of typing some code on a Chromebook, and the key being diverted for an useless function is a pain.

        • I'm sure it is. I was actually just attempting to make a smartass remark about the need for a CapsLock warning on a password prompt (doubtless encouraged by the common tendency to forget the key exists). I think, perhaps, my smartassery should have been more direct, or maybe just more clever.
      • by RawsonDR (1029682) on Saturday May 04, 2013 @10:47AM (#43629443)

        We just have to find a key on the keyboard that people are unlikely to use but is always present. How about this "CapsLk" one?

        i DON'T THINK MY KEYBOARD HAS THAT ONE

        i don"t often post on slashdot because holding down the shift key is far too tedious

    • Don't we always say here, "obscuring is not securing"?

    • by Tore S B (711705)

      I don't know how you could call that 'arrogance'. Thinking you know what is best for the majority is a prerequisite for setting sane defaults.

    • by The Moof (859402)
      A good approach to the problem I've seen is masking the password except for the last character entered, put a timeout on that character (5-10 seconds), then mask it too. It lets you see what you've typed in, and you're no more at risk than someone just watching you type the password.
    • by swalve (1980968)
      Why not just have a "show password" button like they do for WPA passkeys? You can type the pwd, and then click the button to verify. Problem solved.
    • by adosch (1397357)

      Couldn't agree more...

      From a Anaconda GUI manual install process, it seems silly to ditch very basic password blackout + back-end entry validation to make sure both password and retype fields match. Was that too much to maintain?

      From a Kickstart perspective, I'd say it's even 'less' secure because you can hard-code plain-text useradds in %post, grub passwords, AND more importantly, the root password itself. Not to mention, reveal a boat load about your hardware/network infrastructure that can be a lot mor

    • by AdamWill (604569)

      "thinking they know what is best for everybody"

      I'm curious as to how you expect maintainers to write software. Take an opinion poll on every line?

      How would a maintainer who didn't think they know what was best for everybody ever write a line of code? Just guess?

    • by Darinbob (1142669)

      They didn't take it far enough. A truly modern system would use text-to-speech technology to recite the password out loud as a favor to the hard of hearing.

    • by suso (153703) *

      This is what happens when hipster UI developers from the mobile and web world come into the Desktop and Server world and think they are the shit. WTF? The Fedora community seems to have gone apeshit insane in recent years. First their stupid nonesense about moving /bin to /usr/bin, now this. It wouldn't be much of a problem if Fedora was an obscure experiemental distribution, but its not. Its a feeder of ideas and technology for one of the most widely used server distributions in the world. These developers

  • by Dopefish_1 (217994) <slashdotNO@SPAMthedopefish.com> on Saturday May 04, 2013 @08:34AM (#43628703) Homepage

    It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

    • by ArcherB (796902)

      It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

      Why not a choice? What's wrong with a button that says, "Unmask Password"?

      And, sorry, but when developers decide what's best for me, that absolutely IS something to get up in arms about. Maybe I do install my OS in front of a crowd. Maybe I'm installing a real world system at a company that with a policy that says all systems must have the same password in front of people as part of a training course or at a cubicle next to someone who has not business knowing the password.

      My point is, the people who mak

      • Why not a choice? What's wrong with a button that says, "Unmask Password"?

        That's not a terrible idea, but I would be very careful about implementing it. The problem is that it *can* be worse to have a security measure be in place "sometimes" or "most of time" than to not have it in place at all. If password masking is common enough that people assume it will be there, then they'll rely on it, get a sense of security from it, and let their guard down. Then they may type their password out in an unmasked field without noticing in time. People tend to type their passwords out qu

        • People tend to type their passwords out quickly without much thought as it is...

          Isn't that what you're supposed to do - type to mitigate some of the shoulder-surfing issue by making it that much more difficult for someone to notice where your fingers are.

        • Ok, maybe that quote doesn't really work, since security isn't really about absolutes. But it kinda works.

          I'll tell you what it works for - short passwords. I have some systems with 36-character keys (oh, right, passwords) and if they're masked and I'm all alone in a data center (or on remote, more likely these days) it's terribly frustrating since I'm not a perfect typist. Yeah, I can slow down and do it right (I don't have a neurological disorder, though some do) but being able to do it fast and have ac

    • by Grax (529699)
      I don't think it is the end of the world, I think it is more about expectations. I haven't seen the screen in question but I would probably be fine with it as long as it had a warning that the password would be displayed. Suppose I am installing a virtual machine while sitting in a shared space or while sharing my screen on a projector. I go type that password in with the expectation it would be hidden and next thing you know, everyone knows my password. I suppose you could say I'm a bad person for usin
  • by Anonymous Coward
  • I suppose this is the point where MBA skills have overcome insight within the FOSS (or whatever) domain.

    CC.

  • Windows 8 (Score:5, Interesting)

    by scottnix (951749) on Saturday May 04, 2013 @08:35AM (#43628711)

    I like the way Windows 8 addressed this problem. They added a button that looks like an eye on the right hand side of the password field to show the password as you've typed it. That seems like a better compromise than briefly showing the password characters.

    • by Anonymous Coward on Saturday May 04, 2013 @09:38AM (#43629041)
      For mentioning a Microsoft product, we had to mod you down.
    • Yeah, they used the default interaction style, like everybody else.

      Except of course to the Ubuntu team, that has a worse case of NIH than even Microsoft, comparable only to Gnome's.

      • How do you measure NIH? I'm not sure I see how you can put Microsoft is below GNOME and Ubuntu, although I'll be honest, they are all pretty bad about it...

        Microsoft seems to be King of NIH to me, and GNOME is like Apple in their "our way or the highway" attitude about everything, but Ubuntu seems to be getting worse in several areas so it'd probably be too soon to judge them.

    • Bad idea. What if someone is in a library on a public computer and tries to log in, and just after they've entered their password, they wonder "Hmmm... what is that eye-looking thing?" Then they click it and--too late! A few people have already seen it. Oops! Add this "cloud computing" shit that all these companies are trying to force down our throats and you've got potential for problems.

      But seriously though, it is a decent idea... just one that I'm sure is not infallible to situations similar to the

  • I think that this improves password usability and is a move to the right direction. Others should follow instead of making passwords even harder for the end users, the most insane counter examples are the websites that mask your username as well. However, there really should be a switch to toggle this behavior.

  • 1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.
    2. Showing nothing of the password is bad. Some applications actually added random numbers of stars as you type, that is worse. Showing a single character is slightly useful. Dimming out a few characters is better.
    3. People are very good at detecting that someone is looking over their shoulder.
    • by tepples (727027)

      1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.

      Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.

      • Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.

        You are not thinking clearly. I said an application should disable display on external monitors or projectors while a password is entered. That means the application disables the monitor. An application for playing movies that _wanted_ to disable other monitors would just do that.

        This ignores the fact that they wouldn't be able to convince me to rent movies on iTunes and pay them money if I couldn't watch them on my TV but only on my laptop.

  • Good. (Score:5, Interesting)

    by Rational (1990) on Saturday May 04, 2013 @08:48AM (#43628779)
    I hope it catches on. Just give me a tickbox if I want masking when in a public place.
  • by pz (113803) on Saturday May 04, 2013 @08:57AM (#43628831) Journal

    Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

  • no problem (Score:5, Funny)

    by ssam (2723487) on Saturday May 04, 2013 @09:13AM (#43628895)

    my password is '*********' so there will be no change for me

    • my password is '*********' so there will be no change for me

      Seriously speaking, that (plain asterisks) might be a surprisingly strong password. It would be very weak if someone saw your keyboard, but otherwise, who would get the idea to try that? Even the automatic password crackers might not be prepared to check that one.

    • by ssam (2723487)

      but given that '*' is a wild card it will actually match any password that i try to log in with.

  • Password masking becomes increasingly annoying with password length, since any finger fumble becomes nearly impossible to back out with the correct number of backspace presses.

    I could live with a masking system that replaced the usual * with a - when the current symbol is from the same symbol set as the previous symbol.

    The password in the first line would display with the following mask.

    ima6uldv8!!!
    *--**---**--

    For myself anyway, that would put the backspace key "back on the menu" after a finger blap.

    I'd be

    • by epine (68316)

      Addendum:

      It occurs to me that this definition could be modified so that a password all in a single symbol set always displays with only the * character, in addition to the new unmasking only kicking in after the first eight characters, if we wish to keep our fancy logic out from under the dim perceptions and loud scrutiny of the fangle haters.

      The symbol would display as - only if different than the preceding character's symbol set. The first character would always display as *.

    • Linux is about options and this takes the option away.

      When you have increasing issues of password masking the best way is to have two input fields and train the user (this is an ADMIN anyway) to not copypaste.

      Passwords should be long, they should be phrases, with alphanumerics, these are the hardest to crack passwords even if they have a lot of dictionary words. It's a lot harder to crack a 10 word phrase then a 12 letter pure alphanumeric that someone has to right down to remember.

      If your using the phrase

  • by sootman (158191) on Saturday May 04, 2013 @09:27AM (#43628969) Homepage Journal

    Regardless of whether an idea is good or bad, you should not change decades-old conventions lightly. The proper thing to do at this time is to mask by default and have a checkbox nearby that lets the user choose to show the password.

  • Not only Shoulder surfing, but also security cameras.
    It would not be nice if I go to Internet cafés, and the web form will show to all people my passwords in clear.

    Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it.

    That is not good with security cameras or other cameras, like web cameras, or mobile phone cameras, which are quite common in public places like Internet cafés.

    PS: I referring to the article of Bruce Schneier: http://www.out-law.com/page-10152 [out-law.com] not the article about Fedora. I know that it's very uncommon to install Fedora in public Inter

  • "... decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19 ..." Security risks is not something that can be "decided" by somebody. There are always risks and showing the password on plain text is certainly more risky than masking it. Or are there some really awesome benefits for showing them in plain. No. Because noone expects that, so both usability and security suffer.
  • Password: [_________] (text)
    Confirm: [_________] (text)
    Mask/Unmask Password [X] (check box)

    Everyone is happy.
  • by gtirloni (1531285) on Saturday May 04, 2013 @11:42AM (#43629787)
    Because all the time the Linux distributions waste on crap seems to indicate so. Are they bored out of their mind that they need to focus on stupid things?
  • If you are following standard security protocols. Most people are up in arms about this in the work place, but if you are following standard protocols at a work place, then it would not matter. An OS is always installed in a non-production network, with a different root password (typically the development network root password as it is distinct from production). Then the new OS is patched, configured with check lists, connected to LDAP servers (or what ever connections you need). The last three steps ar

  • by gatkinso (15975) on Saturday May 04, 2013 @02:18PM (#43630745)

    Default to masked, hit ctrl and it toggles to unmasked. Ctrl while unmasked makes it masked again.

  • by nuckfuts (690967) on Saturday May 04, 2013 @02:34PM (#43630827)

    FTA:

    "So was I wrong?" wrote Schneier. "Maybe. Okay, probably."

    Check your ego and stop waffling. If you're wrong, say you're wrong. Not maybe. Not probably. Just wrong.

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...