Fedora 19 To Stop Masking Passwords

← Back to Stories (view on slashdot.org)

Fedora 19 To Stop Masking Passwords

Posted by timothy on Saturday May 4, 2013 @01:24AM from the dot-dot-dot-dot dept.

First time accepted submitter PAjamian writes "Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer. Following on the now recanted statements of security expert Bruce Schneier, Anaconda maintainers have decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19. Members of the Fedora community on the Fedora devel mailing list are showing great concern over this change in established security protocols." Note: the change was first reported in the linked thread by Dan Mashal.

13 of 234 comments (clear)

Min score:

Reason:

Sort:

Arrogant maintainers... by gweihir · 2013-05-04 01:33 · Score: 5, Insightful

... thinking they know what is best for everybody. Same stupid story again and again. A button or hot-key for those that want to see their passwords would be acceptable, but making it the default is not.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Arrogant maintainers... by hedwards · 2013-05-04 01:46 · Score: 5, Insightful
  
  During the install process you're probably alone. I can't recall ever having done an install at the local coffee shop or on the bus. And during the install process is a good time to actually see the password.
  The rest of the time though, it should be a hotkey as there's no point in masking the password if there's nobody in the room with you, I suppose there might be cameras, but if you're in public you should be assuming that somebody is looking over your shoulder. Even TrueCrypt offers the ability to unmask the passphrase if you wish.
2. Re:Arrogant maintainers... by Kjella · 2013-05-04 02:09 · Score: 5, Insightful
  
  As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext and I'd consider anything else an obvious bug. It doesn't really matter that in this particular case you almost certainly don't need that protection, it breaks the whole user expectation for password fields in general. It's like if your car would detect there is no traffic so there's no point in blinking the turn signal because nobody would see it, in practice I'd just think my turn lights are broken not that it was "smart". And there's a lot of hand-waving to justify this complicating simplification.
  
  --
  Live today, because you never know what tomorrow brings
3. Re:Arrogant maintainers... by NemosomeN · 2013-05-04 02:55 · Score: 4, Insightful
  
  Why assign a hotkey to such a rare task? Make it a checkbox, two tabs away from the password field. Default: Mask the damn password.
  
  --
  I hate grammar Nazi's.
4. Re:Arrogant maintainers... by Stalks · 2013-05-04 03:53 · Score: 4, Insightful
  
  -- "if there's nobody in the room with you"
  That's an assumption. You don't know what other people are doing. You are basing an installer used by thousands on your own experiences. You're making the same mistake as the developers are.
  Plenty of times I have worked in the datacenter with other engineers from other companies doing installs all around me. I don't want them to see the password, thanks.
5. Re:Arrogant maintainers... by Znork · 2013-05-04 04:58 · Score: 3, Insightful
  
  I assume you have yet to find employment in todays average workplace?
  Because corporate offices and many small company offices are notoriously lacking in privacy and the only time there's 'nobody in the room with you' is if you're doing your installations on christmas eve.
  Having the (Fedoras) install process work different than basically everything else is a bad choice in itself. And changing everything else would be utter idiocy; there are many cases like classes, presentations, user assistance, etc, etc when passwords are entered with observers watching the screen. One would basically have to move to one-time passwords to bypass the issue.
  Needlessly displaying passwords without significant compelling reasons is simply atrociously bad design. The only time it is ever even remotely justified in common practice is when very, very bad input devices make it difficult to know which character actually got entered.
6. Re:Arrogant maintainers... by HiThere · 2013-05-04 07:16 · Score: 3, Insightful
  
  Yes. I'd make the defalut the other way, but it should definitely be user selectable. Different circumstances call for different options, but I don't think making the initial password entry unreadable is a good choice in most circumstances.
  Actually, for my setup I'd prefer that it almost always be readable, as there is no "caps lock on" indicator on my keyboard, and I rarely need to worry about shoulder surfers. (As in probably less than once a year.) But I have certainly observed other circumstances where that could be a concern.
  OTOH, perhaps a default "password unreadable" is reasonable. Most people will never change the default, and won't think about the problem unless they do. But it should definitely be user selectable.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
Only in the installer by Dopefish_1 · 2013-05-04 01:34 · Score: 4, Insightful

It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

--

#include <sig.h>
1. Re:Only in the installer by fast+turtle · 2013-05-04 02:21 · Score: 3, Insightful
  
  Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?
  I sure as hell don't. I expect you to either push out a standard image or use PXE to boot the fucking thing and have it install the image that way with all of the employees files stored on the fucking server. As a small business owner, this is the method I prefer using with PXE boot being the 1st. I'll use a disk image for laptops unless it can be configured to PXE boot and download the damn image.
  
  All this change does is force me to install from a master base image and remove the option for a normal install in the rare time I need it, which in reality causes me to never use their installer software more than once.
  If you're doing it right to begin with, you wont be using the god damn installer anyhow as you should be either installing a standard image or using PXE to boot the system and install the fucking image.
  All your bitching indicates to me is that you haven't a damn clue how to build a standard image or that you want to play with unsupported software. This affects only Fedora (RH's fucking Beta Branch) though if they incorporate the change in RH's supported version, they'll be dead within a couple of years if not sooner because of lawsuits and loosing most of their Government Certifications.
  Before any of this will happen though, the shareholders will file suit and sue the idiot CEO/Chairman for violating "Fiscal Responsibility" as this is about the fastes way to kill Red Hat. Loose those Government Certifications and there isn't anywhere's in the world that a government will use their product. Hell give it enough stink and the shareholders may end up changing the Board and CEO for just that reason, gutting any compensation they would recieve (no golden parachutes).
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
2. Re:Only in the installer by tverbeek · 2013-05-04 02:22 · Score: 3, Insightful
  
  "Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?"
  
  That'd be a more appropriate place to do an OS install, but no: I expect you to lift your head and look around before typing, to see if anyone is staring at the screen. Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.
  
  The practice of masking passwords in all circumstances is a perfect example of unthinking That's How We've Always Done It Syndrome. It dates back to the days of printing terminals, where everything you typed was dot-matrixed onto a roll of paper as you went. It was a very good idea and very important that those passwords not be echoed back to the user, because they'd be preserved on greenbar paper for someone else in the terminal room or computer lab to find.
  
  But most password entry isn't done in that context anymore. With password-saving features on web browsers and smartphones, it's often done once, then left alone; people can easily take a quick look around to make sure no one's looking when they tap their e-mail password into their smartphone during initial setup. A login screen that doesn't echo the password as you type it, but has "remember my password" checkbox... makes no sense whatsoever. But they're programmed that way, because That's How We've Always Done It. Not masking the password when you initially set the password is a good idea because it's really not that difficult to make the same typo twice in a row, and once you've done that with the root password on a new system, you're screwed.
  
  I work in an IT office, and every day I get multiple calls from users who've locked themselves out of their accounts because they couldn't see what they were typing. Caps-Lock is a frequent culprit, and if I had a dollar for every time I've asked a user to check that and try again (and it worked), I'd be able to buy pizza for the whole department every Friday.
  
  There are certainly circumstances where masking the password is a good idea. Kiosks where the user is likely to have strangers standing in line behind her, portable devices that are likely to be used on coffee shop tables, and high-security environments of various kinds. But not all password entry requires that level of looking-over-your-shoulder-but-not-really-because-you-can't-be-bothered-to paranoia to applied. If I'm logging in to Netflix.com to add a movie to my queue, I don't need the kind of password-masking secrecy needed to log in to the medical-records software used where I work. And it's high time someone had the critical thinking skills to start making this judgment call on a case-by-case basis.
  
  --
  http://alternatives.rzero.com/
3. Re:Only in the installer by amaurea · 2013-05-04 02:55 · Score: 3, Insightful
  
  Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.
  To read the password from your hands, they need to watch you undetected during the whole password entry. Reading which keys people press is also error-prone and requires you to be very nearby to have full view of the keyboard. To read the password from the screen, you only need a single glance at it near the end of the entry process, and it can be done from further away.
  Imagine a competition where two teams have to try to detect a password without being discovered, but for one team, the password is masked, and for the other it is shown directly on screen. Now you have to bet on which team would get most passwords. I think it should be pretty obvious to everybody that the plaintext team would have a huge advantage - it wouldn't really be a competition at all.
  The compromise suggested in TFA, with all but the previously entered character being masked, gets rid of the single glance problem, but still allows the password to be snooped from relatively far away. I think the former problem is the most serious, though, so it is probably a good tradeoff.
Re:That's fine by SerpentMage · 2013-05-04 05:21 · Score: 3, Insightful

I don't know if you are sarcastic or not, but I for one am thankful for the maintainers of Fedora. Hear me out...
These days I have to type in passwords that are akin to random letters. I am ok with that. BUT it is BLOODY EFFEN HARD to type in the password into the text field. And if the text field hides the text it becomes annoying to have to input the data again. The problem is that I know my keyboard, but sometimes I have to type twice to hit the correct %^*( character. If I am looking at the keyboard and the screen at the same time things become confusing. Doing this two or three times becomes a royal pain in the arse!
I understand WHY you should not do this, but quite frankly there is theory and there is practice. And in an era of long obtuse passwords I am thankful!

--

"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Re:That's fine by manicb · 2013-05-04 09:17 · Score: 5, Insightful

This is a good case for, as suggested by many in the discussion, a "show password" button, as is widely used. I don't see an argument for making it the default.