Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fedora 19 To Stop Masking Passwords

Posted by timothy on from the dot-dot-dot-dot dept.

First time accepted submitter PAjamian writes "Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer. Following on the now recanted statements of security expert Bruce Schneier, Anaconda maintainers have decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19. Members of the Fedora community on the Fedora devel mailing list are showing great concern over this change in established security protocols." Note: the change was first reported in the linked thread by Dan Mashal.

47 of 234 comments (clear)

  1. Arrogant maintainers... by gweihir · · Score: 5, Insightful

    ... thinking they know what is best for everybody. Same stupid story again and again. A button or hot-key for those that want to see their passwords would be acceptable, but making it the default is not.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Arrogant maintainers... by hedwards · · Score: 5, Insightful

      During the install process you're probably alone. I can't recall ever having done an install at the local coffee shop or on the bus. And during the install process is a good time to actually see the password.

      The rest of the time though, it should be a hotkey as there's no point in masking the password if there's nobody in the room with you, I suppose there might be cameras, but if you're in public you should be assuming that somebody is looking over your shoulder. Even TrueCrypt offers the ability to unmask the passphrase if you wish.

    2. Re:Arrogant maintainers... by Kjella · · Score: 5, Insightful

      As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext and I'd consider anything else an obvious bug. It doesn't really matter that in this particular case you almost certainly don't need that protection, it breaks the whole user expectation for password fields in general. It's like if your car would detect there is no traffic so there's no point in blinking the turn signal because nobody would see it, in practice I'd just think my turn lights are broken not that it was "smart". And there's a lot of hand-waving to justify this complicating simplification.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Arrogant maintainers... by NemosomeN · · Score: 4, Insightful

      Why assign a hotkey to such a rare task? Make it a checkbox, two tabs away from the password field. Default: Mask the damn password.

      --
      I hate grammar Nazi's.
    4. Re:Arrogant maintainers... by RawsonDR · · Score: 4, Funny

      We just have to find a key on the keyboard that people are unlikely to use but is always present. How about this "CapsLk" one?

      i DON'T THINK MY KEYBOARD HAS THAT ONE

      i don"t often post on slashdot because holding down the shift key is far too tedious

    5. Re:Arrogant maintainers... by Stalks · · Score: 4, Insightful

      -- "if there's nobody in the room with you"

      That's an assumption. You don't know what other people are doing. You are basing an installer used by thousands on your own experiences. You're making the same mistake as the developers are.

      Plenty of times I have worked in the datacenter with other engineers from other companies doing installs all around me. I don't want them to see the password, thanks.

    6. Re:Arrogant maintainers... by swalve · · Score: 2

      Why not just have a "show password" button like they do for WPA passkeys? You can type the pwd, and then click the button to verify. Problem solved.

    7. Re:Arrogant maintainers... by Znork · · Score: 3, Insightful

      I assume you have yet to find employment in todays average workplace?

      Because corporate offices and many small company offices are notoriously lacking in privacy and the only time there's 'nobody in the room with you' is if you're doing your installations on christmas eve.

      Having the (Fedoras) install process work different than basically everything else is a bad choice in itself. And changing everything else would be utter idiocy; there are many cases like classes, presentations, user assistance, etc, etc when passwords are entered with observers watching the screen. One would basically have to move to one-time passwords to bypass the issue.

      Needlessly displaying passwords without significant compelling reasons is simply atrociously bad design. The only time it is ever even remotely justified in common practice is when very, very bad input devices make it difficult to know which character actually got entered.

    8. Re:Arrogant maintainers... by Stalks · · Score: 2

      I don't think arrogance means what you think it means as I haven't demonstrated anything to that effect.

      Whilst your comment is marginal troll, I will point out in the majority of cases the sensitive nature of any project wouldn't be a bearing in the choice of creating your own data center, that is just absurd.

      Also, in the UK the B2B sector of hosting is a cut-throat arena just like most heavily invested sectors. I'm sure some of our competitors would relish at the opportunity to put a spanner in the works to discredit the service we provide.

      Paranoid delusions? Possibly, but better safe than sorry.

    9. Re:Arrogant maintainers... by Immerman · · Score: 2

      Except we're living in a world where almost everyone has a discrete camera built into their cell phone, and we may have to deal with things like Google Glass, of which later versions will no doubt become increasingly discrete.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    10. Re:Arrogant maintainers... by HiThere · · Score: 3, Insightful

      Yes. I'd make the defalut the other way, but it should definitely be user selectable. Different circumstances call for different options, but I don't think making the initial password entry unreadable is a good choice in most circumstances.

      Actually, for my setup I'd prefer that it almost always be readable, as there is no "caps lock on" indicator on my keyboard, and I rarely need to worry about shoulder surfers. (As in probably less than once a year.) But I have certainly observed other circumstances where that could be a concern.

      OTOH, perhaps a default "password unreadable" is reasonable. Most people will never change the default, and won't think about the problem unless they do. But it should definitely be user selectable.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re:Arrogant maintainers... by eric_herm · · Score: 2

      Have you read the link you posted ?
      Especially that part :
      ""Further, recent research[12] has shown it is possible to detect the radiation corresponding to a keypress event from not only wireless (radio) keyboards, but also from traditional wired keyboards, and even from laptop keyboards.""

    12. Re:Arrogant maintainers... by Pentium100 · · Score: 2

      My native language uses additional characters in addition to the ASCII ones. When I want to write in my language, I switch the keyboard layout so the additional symbols are in place of the number row. So, I can type the password and it will match, but later when I try to type it with the default layout on, it won't match if I used the number row keys when creating the password.

      When I type somewhere else, I can immediately see that I'm writing nonsense because of the wrong layout and just switch it. I don't always remember to look at the layout indicator before typing a password.

    13. Re:Arrogant maintainers... by PopeRatzo · · Score: 2

      there is no "caps lock on" indicator on my keyboard

      Well, there's your problem, right there.

      --
      You are welcome on my lawn.
    14. Re:Arrogant maintainers... by BitZtream · · Score: 2

      Those of us who don't jerk off to how longer our passwords are, don't use 10 digit passwords.

      I say this as someone who has written more cryptography software than you've even used.

      10 digit passwords are fucking stupid. I'll just bash your head in rather than trying to brute force your password. I assure you, you will give it up FAR faster than anyone can brute force it. Same is true with 6-9 character passwords. I'll have found you and bashed your head in years before the password would be brute forced.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    15. Re:Arrogant maintainers... by Darinbob · · Score: 2

      They didn't take it far enough. A truly modern system would use text-to-speech technology to recite the password out loud as a favor to the hard of hearing.

    16. Re:Arrogant maintainers... by suso · · Score: 2

      This is what happens when hipster UI developers from the mobile and web world come into the Desktop and Server world and think they are the shit. WTF? The Fedora community seems to have gone apeshit insane in recent years. First their stupid nonesense about moving /bin to /usr/bin, now this. It wouldn't be much of a problem if Fedora was an obscure experiemental distribution, but its not. Its a feeder of ideas and technology for one of the most widely used server distributions in the world. These developers are being irresponsible.

  2. Only in the installer by Dopefish_1 · · Score: 4, Insightful

    It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

    --

    #include <sig.h>
    1. Re:Only in the installer by dbIII · · Score: 2

      That's equivalent to saying that if you do an install from the keyboard you're doing it wrong. There's puppet and a pile of other things to avoid manual installs, but sometimes it's handy to go through an install process instead of just churning out identical systems. Also as for "individual admin passwords" - sometimes you do want to give people development boxes or whatever where they know the root password but you don't want them to have root on other machines. Most of the scientists in my workplace know the root password on their desktop systems for instance, and there's an R&D cluster that some developers can do anything they like to.

    2. Re:Only in the installer by fast+turtle · · Score: 3, Insightful

      Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?

      I sure as hell don't. I expect you to either push out a standard image or use PXE to boot the fucking thing and have it install the image that way with all of the employees files stored on the fucking server. As a small business owner, this is the method I prefer using with PXE boot being the 1st. I'll use a disk image for laptops unless it can be configured to PXE boot and download the damn image.

      All this change does is force me to install from a master base image and remove the option for a normal install in the rare time I need it, which in reality causes me to never use their installer software more than once.

      If you're doing it right to begin with, you wont be using the god damn installer anyhow as you should be either installing a standard image or using PXE to boot the system and install the fucking image.

      All your bitching indicates to me is that you haven't a damn clue how to build a standard image or that you want to play with unsupported software. This affects only Fedora (RH's fucking Beta Branch) though if they incorporate the change in RH's supported version, they'll be dead within a couple of years if not sooner because of lawsuits and loosing most of their Government Certifications.

      Before any of this will happen though, the shareholders will file suit and sue the idiot CEO/Chairman for violating "Fiscal Responsibility" as this is about the fastes way to kill Red Hat. Loose those Government Certifications and there isn't anywhere's in the world that a government will use their product. Hell give it enough stink and the shareholders may end up changing the Board and CEO for just that reason, gutting any compensation they would recieve (no golden parachutes).

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    3. Re:Only in the installer by tverbeek · · Score: 3, Insightful

      "Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?"

      That'd be a more appropriate place to do an OS install, but no: I expect you to lift your head and look around before typing, to see if anyone is staring at the screen. Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.

      The practice of masking passwords in all circumstances is a perfect example of unthinking That's How We've Always Done It Syndrome. It dates back to the days of printing terminals, where everything you typed was dot-matrixed onto a roll of paper as you went. It was a very good idea and very important that those passwords not be echoed back to the user, because they'd be preserved on greenbar paper for someone else in the terminal room or computer lab to find.

      But most password entry isn't done in that context anymore. With password-saving features on web browsers and smartphones, it's often done once, then left alone; people can easily take a quick look around to make sure no one's looking when they tap their e-mail password into their smartphone during initial setup. A login screen that doesn't echo the password as you type it, but has "remember my password" checkbox... makes no sense whatsoever. But they're programmed that way, because That's How We've Always Done It. Not masking the password when you initially set the password is a good idea because it's really not that difficult to make the same typo twice in a row, and once you've done that with the root password on a new system, you're screwed.

      I work in an IT office, and every day I get multiple calls from users who've locked themselves out of their accounts because they couldn't see what they were typing. Caps-Lock is a frequent culprit, and if I had a dollar for every time I've asked a user to check that and try again (and it worked), I'd be able to buy pizza for the whole department every Friday.

      There are certainly circumstances where masking the password is a good idea. Kiosks where the user is likely to have strangers standing in line behind her, portable devices that are likely to be used on coffee shop tables, and high-security environments of various kinds. But not all password entry requires that level of looking-over-your-shoulder-but-not-really-because-you-can't-be-bothered-to paranoia to applied. If I'm logging in to Netflix.com to add a movie to my queue, I don't need the kind of password-masking secrecy needed to log in to the medical-records software used where I work. And it's high time someone had the critical thinking skills to start making this judgment call on a case-by-case basis.

      --
      http://alternatives.rzero.com/
    4. Re:Only in the installer by amaurea · · Score: 3, Insightful

      Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.

      To read the password from your hands, they need to watch you undetected during the whole password entry. Reading which keys people press is also error-prone and requires you to be very nearby to have full view of the keyboard. To read the password from the screen, you only need a single glance at it near the end of the entry process, and it can be done from further away.

      Imagine a competition where two teams have to try to detect a password without being discovered, but for one team, the password is masked, and for the other it is shown directly on screen. Now you have to bet on which team would get most passwords. I think it should be pretty obvious to everybody that the plaintext team would have a huge advantage - it wouldn't really be a competition at all.

      The compromise suggested in TFA, with all but the previously entered character being masked, gets rid of the single glance problem, but still allows the password to be snooped from relatively far away. I think the former problem is the most serious, though, so it is probably a good tradeoff.

    5. Re:Only in the installer by Grax · · Score: 2

      I don't think it is the end of the world, I think it is more about expectations. I haven't seen the screen in question but I would probably be fine with it as long as it had a warning that the password would be displayed. Suppose I am installing a virtual machine while sitting in a shared space or while sharing my screen on a projector. I go type that password in with the expectation it would be hidden and next thing you know, everyone knows my password. I suppose you could say I'm a bad person for using my login password on my virtual machine's install, but I want something easy to remember. It could very easily be something else but the point is, I didn't expect to be showing that password to anyone, even with others viewing my screen.

      --
      Coding Blog
    6. Re:Only in the installer by Znork · · Score: 2

      If you're using the appropriate tools for doing this sort of thing, why do you need the password to be visible?

      See, works both ways.

      The real issue is that when the end user needs to input a password it simply should not be visible by default as there is no way to tell if the user is in a situation where the password can be observed during input. As the user cannot be expected, without major flashing red alerts all over the screen, to assume that the Fedora installer will work different from close to every other password field in every application available they cannot be expected to take appropriate precautions which will lead to security issues where the decision to make Anaconda 'special' will be entirely at fault.

    7. Re:Only in the installer by UltraZelda64 · · Score: 2

      I just re-read the article you linked to again to refresh my memory (it's been a while since I read it), but it's obvious this wouldn't likely happen--even with the standard keyboard layout.

      1. Of course this has to happen if a computer is actively "listening" for keystrokes. Clearly the machine installing an OS has no way of doing this, so obviously another computer must be nearby.

      2. Let's assume another computer is nearby. Now, with two computers nearby, what is the likelyhood of yet another one or more being around in a business setting? Probably pretty high, but even the noise from just one computer's keyboard could probably throw the whole algorithm off.

      3. Killer problem right here. It needs to "listen" and gather audio data for 15 minutes to actually work. 15 minutes. Of all the time you're installing an OS, how many actual minutes are used up typing? Probably one or two at the most. Big fail. Meanwhile, it could be hearing lots of keyboard chatter from people on other computers, or have its performance decreased from other external noise.

      4. The algorithm assumes English. What if, like any semi-good password should be, it is a mix of English and complete gibberish, including special characters and numbers, etc.? Numbers alone can be hit at different speeds, producing different noise, depending on whether you use the top row or the numeric keypad. Use complete gibberish and all bets are off. A good password will force you to slow down and think at some points, further confusing the algorithm.

      So... the fact remains, the two most likely way to "steal" a password by being in the same physical room are:

      1. Glancing at the screen and seeing it, right there, being displayed in front of your eyes. (easy; a second or two is all it'd take)

      2. Trying to look as close as possible while someone types the password, attemting to see what keys are pressed and in what order from beginning to end (difficult; requires good timing, clear view and good estimation, and the typist to be completely oblivious to his surroundings; unlikely to happen)

    8. Re:Only in the installer by dbIII · · Score: 2

      In my case it's for people that are capable of a full reinstall if they find there is a different linux distro that better suits their needs (which a few have done without needing any help) and for developers that want to beat things until they break. They get a different root password to the servers, other desktops etc, and for some stuff even a different subnet. It's a little different to giving it out "willy-nilly" and given them nice safe VMs doesn't help when they want to muck about with hardware as well.
      While even some software developers should never be trusted with root on their own box there are many that can be, that are impeded in their work if they don't have it, and can get root in a minute with a reboot and a knoppix CDROM or whatever anyway. The same goes for a lot of other technical staff that dabble in software and hardware as part of their work (eg. some scientists).
      What is unthinkable in many office environments is just making it easier for people to do their work in others. So long as you are aware of what is going on and plan for the inevitable failures it may not cause much hassle.

  3. Obligatory bash.org by Anonymous Coward · · Score: 2, Funny

    Obligatory bash.org quote

  4. Windows 8 by scottnix · · Score: 5, Interesting

    I like the way Windows 8 addressed this problem. They added a button that looks like an eye on the right hand side of the password field to show the password as you've typed it. That seems like a better compromise than briefly showing the password characters.

    1. Re:Windows 8 by Anonymous Coward · · Score: 5, Funny

      For mentioning a Microsoft product, we had to mod you down.

  5. one size may not fit all by goddidit · · Score: 2

    I think that this improves password usability and is a move to the right direction. Others should follow instead of making passwords even harder for the end users, the most insane counter examples are the websites that mask your username as well. However, there really should be a switch to toggle this behavior.

    --
    This .sig is exactly 120 characters long.
  6. Good. by Rational · · Score: 5, Interesting

    I hope it catches on. Just give me a tickbox if I want masking when in a public place.

    --
    "Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
  7. why isn't there a flag? by pz · · Score: 2

    Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:why isn't there a flag? by cervesaebraciator · · Score: 5, Funny

      Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

      I solve this problem by making all my passwords ********.

  8. no problem by ssam · · Score: 5, Funny

    my password is '*********' so there will be no change for me

  9. Stupid decision by sootman · · Score: 2

    Regardless of whether an idea is good or bad, you should not change decades-old conventions lightly. The proper thing to do at this time is to mask by default and have a checkbox nearby that lets the user choose to show the password.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  10. Depends.. by Junta · · Score: 2

    In some environments, security is an issue. If it's network installable, then chances are they can get the kickstart/unattend/whatever file off the network. For most linux envs done right, the risk is disclosure of the /etc/shadow variant of the file severely mitigating the risk, but in Windows, you cannot use any sort of meaningful protection.

    If you do it from stock media, policy may still prevent it from containing the media (e.g. high chance the technician won't take extra care and might lose media with sensitive data).

    There are environments that automate everything else except the local administrator passwore. There are very few autoinstall mechanisms that meaningful protect the password across deployment (e.g. the Flex System Manager from IBM does it for the OSes it can deploy, and you can craft a Windows install scheme that has no usable local accounts and relies entirely upon active directory sacrificing the ability to administer it offline, but overwhelmingly the majority of automated OS deployments will leave passwords vulnerable if they are tasked with setting them.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Depends.. by Junta · · Score: 2

      I'm talking about kickstart/autoyast vs. unattend.xml.

      In kickstart/autoyast/preseed, you can feed in the pre-crypted value. In windows, you must feed in the password. You don't have the option of, say, feeding in the NTLMv2 hash. Of course, NTLMv2 hash is far weaker than any of the modern crypt() strategies in a linux system.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  11. Re:"Show password as I type" checkbox by gnasher719 · · Score: 3, Interesting

    The log-in and sign-up pages on Phil's Hobby Shop have a "Show password as I type" checkbox. Is this what you were looking for?

    As a MacOS X developer, the developer can mark text entry fields as "password". A major effect of this that other applications (like external spelling checkers, for example) don't have access to what you are typing. The other effect is that the input is hidden.

    At the moment, you can't have a password field that gives protection against malware that could be on your computer, _and_ at the same time displays the password. Only one or the other.

  12. reality vs belief by brainscauseminds · · Score: 2

    "... decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19 ..." Security risks is not something that can be "decided" by somebody. There are always risks and showing the password on plain text is certainly more risky than masking it. Or are there some really awesome benefits for showing them in plain. No. Because noone expects that, so both usability and security suffer.

  13. Best Option... by CFBMoo1 · · Score: 2

    Password: [_________] (text)
    Confirm: [_________] (text)
    Mask/Unmask Password [X] (check box)

    Everyone is happy.

    --
    ~~ Behold the flying cow with a rail gun! ~~
  14. Is the Linux desktop a solved problem? by gtirloni · · Score: 2

    Because all the time the Linux distributions waste on crap seems to indicate so. Are they bored out of their mind that they need to focus on stupid things?

    --
    none
  15. Re:That's fine by SerpentMage · · Score: 3, Insightful

    I don't know if you are sarcastic or not, but I for one am thankful for the maintainers of Fedora. Hear me out...

    These days I have to type in passwords that are akin to random letters. I am ok with that. BUT it is BLOODY EFFEN HARD to type in the password into the text field. And if the text field hides the text it becomes annoying to have to input the data again. The problem is that I know my keyboard, but sometimes I have to type twice to hit the correct %^*( character. If I am looking at the keyboard and the screen at the same time things become confusing. Doing this two or three times becomes a royal pain in the arse!

    I understand WHY you should not do this, but quite frankly there is theory and there is practice. And in an era of long obtuse passwords I am thankful!

    --

    "You can't make a race horse of a pig"
    "No," said Samuel, "but you can make very fast pig"
  16. Why not have Ctrl toggle it? by gatkinso · · Score: 2

    Default to masked, hit ctrl and it toggles to unmasked. Ctrl while unmasked makes it masked again.

    --
    I am very small, utmostly microscopic.
  17. Schneier only admits to being "probably wrong". by nuckfuts · · Score: 2

    FTA:

    "So was I wrong?" wrote Schneier. "Maybe. Okay, probably."

    Check your ego and stop waffling. If you're wrong, say you're wrong. Not maybe. Not probably. Just wrong.

  18. Re:"Show password as I type" checkbox by Pentium100 · · Score: 2

    At the moment, you can't have a password field that gives protection against malware that could be on your computer...

    ...whether it is displayed to the user or not.

  19. Re:That's fine by manicb · · Score: 5, Insightful

    This is a good case for, as suggested by many in the discussion, a "show password" button, as is widely used. I don't see an argument for making it the default.

  20. Re:That's fine by arkenian · · Score: 2

    Because many organizations have weird and bizarre rules for passwords that are not based on actual truth of what makes a secure password. My current favorite is 16! Characters, no words, at least 2 each of special characters, numbers, lowercase and uppercase letters. i.e. so long that NO ONE can remember the things if they're truly randomized. Although they're supposedly switching that particular circumstance over to token-based.