Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fedora 19 To Stop Masking Passwords

Posted by timothy on from the dot-dot-dot-dot dept.

First time accepted submitter PAjamian writes "Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer. Following on the now recanted statements of security expert Bruce Schneier, Anaconda maintainers have decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19. Members of the Fedora community on the Fedora devel mailing list are showing great concern over this change in established security protocols." Note: the change was first reported in the linked thread by Dan Mashal.

9 of 234 comments (clear)

  1. Arrogant maintainers... by gweihir · · Score: 5, Insightful

    ... thinking they know what is best for everybody. Same stupid story again and again. A button or hot-key for those that want to see their passwords would be acceptable, but making it the default is not.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Arrogant maintainers... by hedwards · · Score: 5, Insightful

      During the install process you're probably alone. I can't recall ever having done an install at the local coffee shop or on the bus. And during the install process is a good time to actually see the password.

      The rest of the time though, it should be a hotkey as there's no point in masking the password if there's nobody in the room with you, I suppose there might be cameras, but if you're in public you should be assuming that somebody is looking over your shoulder. Even TrueCrypt offers the ability to unmask the passphrase if you wish.

    2. Re:Arrogant maintainers... by Kjella · · Score: 5, Insightful

      As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext and I'd consider anything else an obvious bug. It doesn't really matter that in this particular case you almost certainly don't need that protection, it breaks the whole user expectation for password fields in general. It's like if your car would detect there is no traffic so there's no point in blinking the turn signal because nobody would see it, in practice I'd just think my turn lights are broken not that it was "smart". And there's a lot of hand-waving to justify this complicating simplification.

      --
      Live today, because you never know what tomorrow brings
  2. Windows 8 by scottnix · · Score: 5, Interesting

    I like the way Windows 8 addressed this problem. They added a button that looks like an eye on the right hand side of the password field to show the password as you've typed it. That seems like a better compromise than briefly showing the password characters.

    1. Re:Windows 8 by Anonymous Coward · · Score: 5, Funny

      For mentioning a Microsoft product, we had to mod you down.

  3. Good. by Rational · · Score: 5, Interesting

    I hope it catches on. Just give me a tickbox if I want masking when in a public place.

    --
    "Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
  4. Re:why isn't there a flag? by cervesaebraciator · · Score: 5, Funny

    Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

    I solve this problem by making all my passwords ********.

  5. no problem by ssam · · Score: 5, Funny

    my password is '*********' so there will be no change for me

  6. Re:That's fine by manicb · · Score: 5, Insightful

    This is a good case for, as suggested by many in the discussion, a "show password" button, as is widely used. I don't see an argument for making it the default.