Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fedora 19 To Stop Masking Passwords

timothy posted about a year ago | from the dot-dot-dot-dot dept.

Security 234

First time accepted submitter PAjamian writes "Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer. Following on the now recanted statements of security expert Bruce Schneier, Anaconda maintainers have decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19. Members of the Fedora community on the Fedora devel mailing list are showing great concern over this change in established security protocols." Note: the change was first reported in the linked thread by Dan Mashal.

cancel ×

234 comments

That's fine (-1)

Anonymous Coward | about a year ago | (#43628659)

If someone can't look over their shoulder or trust their spouse they should have their account hacked. It will never happen in any case.

Arrogant maintainers... (5, Insightful)

gweihir (88907) | about a year ago | (#43628701)

... thinking they know what is best for everybody. Same stupid story again and again. A button or hot-key for those that want to see their passwords would be acceptable, but making it the default is not.

Re:Arrogant maintainers... (0)

Anonymous Coward | about a year ago | (#43628731)

Anonymous so rather than plus one it just saying right on. Personally like the checkbox where if you clear it the password shows up. Leave it to the user to decide but make the default more secure.

Re:Arrogant maintainers... (5, Insightful)

hedwards (940851) | about a year ago | (#43628765)

During the install process you're probably alone. I can't recall ever having done an install at the local coffee shop or on the bus. And during the install process is a good time to actually see the password.

The rest of the time though, it should be a hotkey as there's no point in masking the password if there's nobody in the room with you, I suppose there might be cameras, but if you're in public you should be assuming that somebody is looking over your shoulder. Even TrueCrypt offers the ability to unmask the passphrase if you wish.

Re:Arrogant maintainers... (5, Insightful)

Kjella (173770) | about a year ago | (#43628875)

As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext and I'd consider anything else an obvious bug. It doesn't really matter that in this particular case you almost certainly don't need that protection, it breaks the whole user expectation for password fields in general. It's like if your car would detect there is no traffic so there's no point in blinking the turn signal because nobody would see it, in practice I'd just think my turn lights are broken not that it was "smart". And there's a lot of hand-waving to justify this complicating simplification.

Re:Arrogant maintainers... (1)

I'm New Around Here (1154723) | about a year ago | (#43629251)

As long as you must take any active action to display the password I'm fine with it, but if you give me a password field I'm going to assume by default that it won't be echoed back to me in plaintext ...

How about if, for this situation of doing a system install, the password field isn't masked, but there is a message displayed in the password box telling you is it not masked?

Personally, I don't like having to check a box to see the password, and would rather it be unmasked by default with a checkbox to mask it. With the additional rule of checking or clearing the box clears the password field first. But with having the default, just for the installation process, being unmasked with the warning, and auto-clearing on change of option, would that satisfy you?

Re:Arrogant maintainers... (4, Insightful)

NemosomeN (670035) | about a year ago | (#43629151)

Why assign a hotkey to such a rare task? Make it a checkbox, two tabs away from the password field. Default: Mask the damn password.

Re:Arrogant maintainers... (1)

hedwards (940851) | about a year ago | (#43629323)

There's little or no point in masking the password. Unless you're choosing stupid passwords or having a huge number of chances to guess the password it's not going to make much of a difference. With a properly 10-20 character password that's actually mostly random people are not going to guess that based upon seeing it one time. At least not without them having some sort of savant ability to memorize random strings of characters.

Checkbox or hotkey doesn't really make much difference, either way it should be optional.

Re:Arrogant maintainers... (1)

war4peace (1628283) | about a year ago | (#43629475)

Wanna bet? I have inadvertedly trained myself to have photographic memory because I have had to type in manually thousands of service request numbers (which also contain letters, dashes) from screenshots or other machines. I can easily remember a 20-character string if I look at it for exactly as much time as you need to type it in, for enough time to allow me to write it down.

Re:Arrogant maintainers... (4, Insightful)

Stalks (802193) | about a year ago | (#43629481)

-- "if there's nobody in the room with you"

That's an assumption. You don't know what other people are doing. You are basing an installer used by thousands on your own experiences. You're making the same mistake as the developers are.

Plenty of times I have worked in the datacenter with other engineers from other companies doing installs all around me. I don't want them to see the password, thanks.

Re:Arrogant maintainers... (0)

Anonymous Coward | about a year ago | (#43629667)

I have installed boxes in IT in "siloed" environments with a lot of office politics. In that environment, a cow-orker from a "rival" IT team seeing a password can bring a world of hurt. A DNS server might "accidentally" unconfigure itself, a SAN might "just by chance" drop a LUN when only a person from another team is working in there, or a production database might mysteriously get encrypted with the other team having the key... but only willing to give it up if the next round of equipment upgrade orders goes through their hands first.

I take enough precautions to prevent shoulder-surfing on the keyboard.

Unmasking the password is a nice -option-, but in a lot of environments, especially with cameras and lots of onlookers, it can be a dreadful security disaster.

"Show password as I type" checkbox (0)

tepples (727027) | about a year ago | (#43628817)

The log-in and sign-up pages on Phil's Hobby Shop [philshobbyshop.com] have a "Show password as I type" checkbox. Is this what you were looking for?

Re:"Show password as I type" checkbox (3, Interesting)

gnasher719 (869701) | about a year ago | (#43629449)

The log-in and sign-up pages on Phil's Hobby Shop have a "Show password as I type" checkbox. Is this what you were looking for?

As a MacOS X developer, the developer can mark text entry fields as "password". A major effect of this that other applications (like external spelling checkers, for example) don't have access to what you are typing. The other effect is that the input is hidden.

At the moment, you can't have a password field that gives protection against malware that could be on your computer, _and_ at the same time displays the password. Only one or the other.

Re:Arrogant maintainers... (1)

cervesaebraciator (2352888) | about a year ago | (#43628861)

A button or hot-key for those that want to see their passwords would be acceptable [...]

Exactly. And easy to implement. We just have to find a key on the keyboard that people are unlikely to use but is always present. How about this "CapsLk" one?

Re:Arrogant maintainers... (1)

HisMother (413313) | about a year ago | (#43629065)

That's an interesting idea. Everybody already warns if you have capslock on while entering a password. They could just change the warning to "Your password will be displayed in plaintext," and ignore the actual capslock (assuming that's possible.)

Re:Arrogant maintainers... (1)

KiloByte (825081) | about a year ago | (#43629297)

Some of us actually use CapsLock to invert the case of part of the password. I'd scream loudly if you sabotaged it. I've had the displeasure of typing some code on a Chromebook, and the key being diverted for an useless function is a pain.

Re:Arrogant maintainers... (1)

cervesaebraciator (2352888) | about a year ago | (#43629455)

I'm sure it is. I was actually just attempting to make a smartass remark about the need for a CapsLock warning on a password prompt (doubtless encouraged by the common tendency to forget the key exists). I think, perhaps, my smartassery should have been more direct, or maybe just more clever.

Re:Arrogant maintainers... (4, Funny)

RawsonDR (1029682) | about a year ago | (#43629443)

We just have to find a key on the keyboard that people are unlikely to use but is always present. How about this "CapsLk" one?

i DON'T THINK MY KEYBOARD HAS THAT ONE

i don"t often post on slashdot because holding down the shift key is far too tedious

Makes sense to me... (1)

quenda (644621) | about a year ago | (#43629255)

Don't we always say here, "obscuring is not securing"?

Re:Makes sense to me... (0)

Anonymous Coward | about a year ago | (#43629399)

Yes, by idiots who misunderstand the statement. Security by obscurity is only bad if your the security mechanism would be compromised by disclosure of the information you're trying to keep secret. But even as Bruce Schneier has said, it is perfectly valid to obscure information even if its disclosure would not compromise the integrity of the security system. Obscuring such information is a perfectly valid first defense against attack.

Re:Arrogant maintainers... (1)

Tore S B (711705) | about a year ago | (#43629339)

I don't know how you could call that 'arrogance'. Thinking you know what is best for the majority is a prerequisite for setting sane defaults.

Re:Arrogant maintainers... (0)

Anonymous Coward | about a year ago | (#43629345)

I prefer unmasked passwords in everything except a webbrowser. It would be nice if it was a system setting.

Re:Arrogant maintainers... (1)

The Moof (859402) | about a year ago | (#43629547)

A good approach to the problem I've seen is masking the password except for the last character entered, put a timeout on that character (5-10 seconds), then mask it too. It lets you see what you've typed in, and you're no more at risk than someone just watching you type the password.

Re:Arrogant maintainers... (2)

swalve (1980968) | about a year ago | (#43629603)

Why not just have a "show password" button like they do for WPA passkeys? You can type the pwd, and then click the button to verify. Problem solved.

Re:Arrogant maintainers... (1)

adosch (1397357) | about a year ago | (#43629693)

Couldn't agree more...

From a Anaconda GUI manual install process, it seems silly to ditch very basic password blackout + back-end entry validation to make sure both password and retype fields match. Was that too much to maintain?

From a Kickstart perspective, I'd say it's even 'less' secure because you can hard-code plain-text useradds in %post, grub passwords, AND more importantly, the root password itself. Not to mention, reveal a boat load about your hardware/network infrastructure that can be a lot more detrimental in the wrong hands or eyes.

...but point taken on both, I'd hope: 1) You're doing the install yourself and if it is a semi-sensitive install and NOT done with prying eyes and 2) from a ks perspective, you practice good filesystem ownership and permissions or satellite/spacewalk access controls. u

All in all, it's shit like this that makes me lose even more faith in the current Fedora maintainers and the Linux distro going forward. Within the last year, things like non-POSIX adoption breeding into packages, lack of security (as mention in article), putting 'all' binaries in /usr/bin because 'we're lazy' approach and negating proper UNIX structure. Plain and simple, a lot of change to fix shit that had a standard, WASN'T broken and thought through LONG ago when most of these 'kids' were playing NES in mom and dad's basement.

Only in the installer (4, Insightful)

Dopefish_1 (217994) | about a year ago | (#43628703)

It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

Re:Only in the installer (0, Redundant)

Anonymous Coward | about a year ago | (#43628753)

This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

Except it only takes once for it to matter.

Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?

Why make me go through all that extra work, effort, and time simply because someone is too lazy to add password masking code that has existed since the 60s?

Let me guess, the installer will also bitch if I type "1234" with the intent to change the password to a real one later using well made software? Seems par for the course here.

All this change does is force me to install from a master base image and remove the option for a normal install in the rare time I need it, which in reality causes me to never use their installer software more than once.
If they only wanted others to not use their software, why don't they just go the easy route and stop trying to write software? It will have the same effect but they will be finished in zero seconds instead of greater than zero seconds :P

In the end, this is just a waste of everything.

Re:Only in the installer (1)

hedwards (940851) | about a year ago | (#43628781)

How often do you install or reinstall your OS in front of a crowd?

What's more if you're setting individual admin passwords at install time you're doing it wrong. There's tools and techniques for dealing with this sort of thing that would be much more time efficient. Perhaps focusing on the real issue that you're not doing it right would be more efficient than demanding that everybody else suffer because you can't be bothered to set up deployment tools correctly.

Re:Only in the installer (2)

dbIII (701233) | about a year ago | (#43628851)

That's equivalent to saying that if you do an install from the keyboard you're doing it wrong. There's puppet and a pile of other things to avoid manual installs, but sometimes it's handy to go through an install process instead of just churning out identical systems. Also as for "individual admin passwords" - sometimes you do want to give people development boxes or whatever where they know the root password but you don't want them to have root on other machines. Most of the scientists in my workplace know the root password on their desktop systems for instance, and there's an R&D cluster that some developers can do anything they like to.

Re:Only in the installer (0)

Anonymous Coward | about a year ago | (#43629201)

How often do you install or reinstall your OS in front of a crowd?

During the whole last year and this one too...
In front of a crowd: 5-6 times, on Linux help events and helping friends over lunch, who certainly don't want their password shown publicly. Would be highly embarrassing if the password was there for everyone to see.
Not in front of a crowd: exactly zero times.

In my opinion, this change is so bad it's actually hard to believe they're doing it...

Re:Only in the installer (0)

Anonymous Coward | about a year ago | (#43629341)

"In front of a crowd: 5-6 times, on Linux help events and helping friends over lunch, "

You reinstall your friend's computer system while sitting at Starbucks?

Re:Only in the installer (1)

Anonymous Coward | about a year ago | (#43628853)

Why are you installing employee computers off of an installer CD. They make slipped stream 100% handsfree installs OUT OF THE BOX for Fedora. If you are wasting this kind of time, manually installing it over and over instead of once, you deserve to be fired. Also denying root remote/root local password if more than slightly recommended. Sudo is your friend.

Re:Only in the installer (0)

Anonymous Coward | about a year ago | (#43628975)

"you deserve to be fired"

And as usual, people who spew this line of garbage are your typical noobs who haven't experienced life in the real world yet.

Depends.. (2)

Junta (36770) | about a year ago | (#43629191)

In some environments, security is an issue. If it's network installable, then chances are they can get the kickstart/unattend/whatever file off the network. For most linux envs done right, the risk is disclosure of the /etc/shadow variant of the file severely mitigating the risk, but in Windows, you cannot use any sort of meaningful protection.

If you do it from stock media, policy may still prevent it from containing the media (e.g. high chance the technician won't take extra care and might lose media with sensitive data).

There are environments that automate everything else except the local administrator passwore. There are very few autoinstall mechanisms that meaningful protect the password across deployment (e.g. the Flex System Manager from IBM does it for the OSes it can deploy, and you can craft a Windows install scheme that has no usable local accounts and relies entirely upon active directory sacrificing the ability to administer it offline, but overwhelmingly the majority of automated OS deployments will leave passwords vulnerable if they are tasked with setting them.

Re:Depends.. (1)

Aighearach (97333) | about a year ago | (#43629529)

For most linux envs done right, the risk is disclosure of the /etc/shadow variant of the file severely mitigating the risk, but in Windows, you cannot use any sort of meaningful protection.

*whew* luckily the feature is only in Fedora

Re:Only in the installer (1)

Gavagai80 (1275204) | about a year ago | (#43628865)

If someone's standing over your shoulder already, they can just watch your hands on the keyboard to discover the password.

Re:Only in the installer (1)

jones_supa (887896) | about a year ago | (#43628929)

If someone's standing over your shoulder already, they can just watch your hands on the keyboard to discover the password.

But the chance of discovering the password is clearly higher if it's printed on the screen. I don't mind Red Hat showing the password, but your argument is not good.

Re:Only in the installer (1)

dbIII (701233) | about a year ago | (#43628887)

Just look over your shoulder before entry.
I've been stung by a fat finger problem before when I messed up entering the admin password for an "owncloud" area and the thing only lets you enter it once and it's masked. It was an annoyance and not a showstopper since having root lets you do pretty well anything to the applications running on a system (finding the password hash in the sql database and replacing it with another generated from a password I knew fixed it). It still took time and a visible field or entry twice would have avoided that.
So there you go - it can be a waste of time masking it just as you suggest it is a waste not masking it.
I can't really work out why this was worth a slashdot story.

Re:Only in the installer (1)

gl4ss (559668) | about a year ago | (#43628903)

if you are typing it while the employee is watching, it's all just games anyhow and your methods for working in a non-trusted employee situation are already suspect.

anyhow, at least you're seeing the password behind which you are putting the whole computer. I guess someone over there made a double typo.

of course the sane thing is to add an option for it, like a button next to it, but you know how uxperts are nowadays. the key in the group thinking currently is to remove all options from everything.

Re:Only in the installer (3, Insightful)

fast turtle (1118037) | about a year ago | (#43628939)

Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?

I sure as hell don't. I expect you to either push out a standard image or use PXE to boot the fucking thing and have it install the image that way with all of the employees files stored on the fucking server. As a small business owner, this is the method I prefer using with PXE boot being the 1st. I'll use a disk image for laptops unless it can be configured to PXE boot and download the damn image.

All this change does is force me to install from a master base image and remove the option for a normal install in the rare time I need it, which in reality causes me to never use their installer software more than once.

If you're doing it right to begin with, you wont be using the god damn installer anyhow as you should be either installing a standard image or using PXE to boot the system and install the fucking image.

All your bitching indicates to me is that you haven't a damn clue how to build a standard image or that you want to play with unsupported software. This affects only Fedora (RH's fucking Beta Branch) though if they incorporate the change in RH's supported version, they'll be dead within a couple of years if not sooner because of lawsuits and loosing most of their Government Certifications.

Before any of this will happen though, the shareholders will file suit and sue the idiot CEO/Chairman for violating "Fiscal Responsibility" as this is about the fastes way to kill Red Hat. Loose those Government Certifications and there isn't anywhere's in the world that a government will use their product. Hell give it enough stink and the shareholders may end up changing the Board and CEO for just that reason, gutting any compensation they would recieve (no golden parachutes).

Re:Only in the installer (-1)

Anonymous Coward | about a year ago | (#43629021)

Tools like you are irritating little mosquitoes on /. You think every situation is exactly like yours and if someone doesn't do things exactly like you, "TEHY SHUD B3 FIR3DD!!!!111"

Do everyone a favour and fuck off, cause you don't know shit about shit.

Re:Only in the installer (1)

AmiMoJo (196126) | about a year ago | (#43629429)

It's a really bad idea to have the same local admin password on laptops that go out the door. Also for small businesses without a suitable site license each machine needs installing separately and an image won't pass Genuine Advantage.

Maybe you use Linux. Lucky you.

Re:Only in the installer (1)

Aighearach (97333) | about a year ago | (#43629555)

The story is about a Fedora feature, so yeah, if they're not using linux they didn't have a valid point anyways. So if they don't say, that is reasonable to assume.

Re:Only in the installer (1)

kernelpanicked (882802) | about a year ago | (#43629629)

Three things.

1. Just because you use a standard image, doesn't mean all passwords have to be the same. It's quite easy to generate a random password and have that password updated in a database or sent somewhere for retrieval with kickstart.

2. This is for Fedora. Anyone deploying Fedora in a work environment, needs to be fired immediately. It's in no way considered stable and it's supported for a total of 13 months from the day of it's release. That's not even close to a reasonable lifetime.

3. What in the actual fuck, does any of this, have to do with Windows or Genuine Advantage?

Re:Only in the installer (3, Insightful)

tverbeek (457094) | about a year ago | (#43628945)

"Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?"

That'd be a more appropriate place to do an OS install, but no: I expect you to lift your head and look around before typing, to see if anyone is staring at the screen. Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.

The practice of masking passwords in all circumstances is a perfect example of unthinking That's How We've Always Done It Syndrome. It dates back to the days of printing terminals, where everything you typed was dot-matrixed onto a roll of paper as you went. It was a very good idea and very important that those passwords not be echoed back to the user, because they'd be preserved on greenbar paper for someone else in the terminal room or computer lab to find.

But most password entry isn't done in that context anymore. With password-saving features on web browsers and smartphones, it's often done once, then left alone; people can easily take a quick look around to make sure no one's looking when they tap their e-mail password into their smartphone during initial setup. A login screen that doesn't echo the password as you type it, but has "remember my password" checkbox... makes no sense whatsoever. But they're programmed that way, because That's How We've Always Done It. Not masking the password when you initially set the password is a good idea because it's really not that difficult to make the same typo twice in a row, and once you've done that with the root password on a new system, you're screwed.

I work in an IT office, and every day I get multiple calls from users who've locked themselves out of their accounts because they couldn't see what they were typing. Caps-Lock is a frequent culprit, and if I had a dollar for every time I've asked a user to check that and try again (and it worked), I'd be able to buy pizza for the whole department every Friday.

There are certainly circumstances where masking the password is a good idea. Kiosks where the user is likely to have strangers standing in line behind her, portable devices that are likely to be used on coffee shop tables, and high-security environments of various kinds. But not all password entry requires that level of looking-over-your-shoulder-but-not-really-because-you-can't-be-bothered-to paranoia to applied. If I'm logging in to Netflix.com to add a movie to my queue, I don't need the kind of password-masking secrecy needed to log in to the medical-records software used where I work. And it's high time someone had the critical thinking skills to start making this judgment call on a case-by-case basis.

Re:Only in the installer (3, Insightful)

amaurea (2900163) | about a year ago | (#43629149)

Because if there are other people in the room, and you're really that concerned that they'll be snooping at your root password, they can just as easily look at your hands on the keyboard.

To read the password from your hands, they need to watch you undetected during the whole password entry. Reading which keys people press is also error-prone and requires you to be very nearby to have full view of the keyboard. To read the password from the screen, you only need a single glance at it near the end of the entry process, and it can be done from further away.

Imagine a competition where two teams have to try to detect a password without being discovered, but for one team, the password is masked, and for the other it is shown directly on screen. Now you have to bet on which team would get most passwords. I think it should be pretty obvious to everybody that the plaintext team would have a huge advantage - it wouldn't really be a competition at all.

The compromise suggested in TFA, with all but the previously entered character being masked, gets rid of the single glance problem, but still allows the password to be snooped from relatively far away. I think the former problem is the most serious, though, so it is probably a good tradeoff.

Re:Only in the installer (1)

phantomfive (622387) | about a year ago | (#43629433)

If you are seriously worried about security, not only do you have to make sure no one is in vision range, you have to make sure they are not within microphone range as well. You can crack a password with just the sound of the keyboard [slashdot.org] .

Re:Only in the installer (1)

devent (1627873) | about a year ago | (#43629267)

Oh please, Stupid users will always be stupid. And next level of stupidity will be that even the password typed is in clear text, the user will not recognise an upper case character and will think it is a lower case character and will call you up anyway.

Stupidity is always a race to the bottom. Somewhere you have to put a line and say: no, just learn how to do it.

Re:Only in the installer (1)

I'm New Around Here (1154723) | about a year ago | (#43629383)

Do you really expect me to disconnect an employee computer, hull it up to my office, and reinstall there - just so I can have a standard local root password the other admins also know?

I hope you bring your own certified keyboard with you when you reinstall employees' computers at their own desk.

Because if you don't, the easiest way to get your supersecret password is for the employee to replace their keyboard with another that has a key logger built in.

What company do you work for? I have a friend who's looking for a job.

Re:Only in the installer (1)

Aighearach (97333) | about a year ago | (#43629507)

Why make me go through all that extra work, effort, and time simply because someone is too lazy to add password masking code that has existed since the 60s?

They're taking the old code out, and writing new code with this feature, not leaving something undone. You're obviously fibbing about "other admins" Mr "Anonymous." I'd be embarrassed too if I was impersonating an admin. But your one mistake... admins can read.

Re:Only in the installer (1)

ArcherB (796902) | about a year ago | (#43628863)

It's only in cleartext during installation, and only while the password field has focus. This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd.

Why not a choice? What's wrong with a button that says, "Unmask Password"?

And, sorry, but when developers decide what's best for me, that absolutely IS something to get up in arms about. Maybe I do install my OS in front of a crowd. Maybe I'm installing a real world system at a company that with a policy that says all systems must have the same password in front of people as part of a training course or at a cubicle next to someone who has not business knowing the password.

My point is, the people who make these decisions have no idea where I'm going to be installing these systems or what my circumstances may be. If shadowing the password is a bad thing, then give me a damn button and let ME make the choice. Choice is good, right?

Re:Only in the installer (1)

nine-times (778537) | about a year ago | (#43628989)

Why not a choice? What's wrong with a button that says, "Unmask Password"?

That's not a terrible idea, but I would be very careful about implementing it. The problem is that it *can* be worse to have a security measure be in place "sometimes" or "most of time" than to not have it in place at all. If password masking is common enough that people assume it will be there, then they'll rely on it, get a sense of security from it, and let their guard down. Then they may type their password out in an unmasked field without noticing in time. People tend to type their passwords out quickly without much thought as it is, so it may not even be enough to provide a visual cue indicating that the password will not be masked.

Either you security do "yes" or security do "no." You security do "guess so," squish, just like grape.

Ok, maybe that quote doesn't really work, since security isn't really about absolutes. But it kinda works.

Re:Only in the installer (1)

zippthorne (748122) | about a year ago | (#43629307)

People tend to type their passwords out quickly without much thought as it is...

Isn't that what you're supposed to do - type to mitigate some of the shoulder-surfing issue by making it that much more difficult for someone to notice where your fingers are.

Re:Only in the installer (1)

bill_mcgonigle (4333) | about a year ago | (#43629331)

Ok, maybe that quote doesn't really work, since security isn't really about absolutes. But it kinda works.

I'll tell you what it works for - short passwords. I have some systems with 36-character keys (oh, right, passwords) and if they're masked and I'm all alone in a data center (or on remote, more likely these days) it's terribly frustrating since I'm not a perfect typist. Yeah, I can slow down and do it right (I don't have a neurological disorder, though some do) but being able to do it fast and have access to backspace is more productive.

Fedora is doing the right thing by allowing unmasked passwords so people will be able to use longer passwords. It's utterly stupid of them to not include a checkbox for 'mask password' if people are going to have a need for that. I'm OK with that being the default too (safer defaults are almost always the right choice), just let me have the choice to unmask the password when I need to. My current Fedora system passwords are only in the 16-character range because of this.

As you say, security isn't about absolutes, and if the Fedora devs think they can understand every situation in the field on millions of systems, then they're delusional and fail at security. Fedora should not be about mistrusting its users.

Re:Only in the installer (0)

Anonymous Coward | about a year ago | (#43628877)

It doesn't matter where you do it. It sets a bad precedent, a decision that will alter future thinking.
Instead of making idiotic changes, fixing things that aren't broken, they should try fixing all those bugs that pop up all the time. I'm still stuck with F16, because I'm too afraid of what I might find in the future versions. Tried the live F18 and couldn't even get it to start ...

Re:Only in the installer (1)

jones_supa (887896) | about a year ago | (#43628997)

What happened when you tried to start F18?

Re:Only in the installer (1)

I'm New Around Here (1154723) | about a year ago | (#43629409)

It fired all its missals and dropped the extra fuel tank. Damn system bugs.

Re:Only in the installer (1)

mlookaba (2802163) | about a year ago | (#43629111)

" This is hardly something to get up in arms about, unless you regularly re-install your OS in front of a crowd."

Sure, it won't cause a problem if everything always goes according to plan. Perhaps we should save money and remove the interlocks from airplane doors too. After all, it's nothing to get up in arms about, unless you regularly open the door in flight.

you are a fucking idiot (0)

Anonymous Coward | about a year ago | (#43629139)

and uhm. yeah. i mean. there is just no other way to describe it.

Re:Only in the installer (2)

Grax (529699) | about a year ago | (#43629291)

I don't think it is the end of the world, I think it is more about expectations. I haven't seen the screen in question but I would probably be fine with it as long as it had a warning that the password would be displayed. Suppose I am installing a virtual machine while sitting in a shared space or while sharing my screen on a projector. I go type that password in with the expectation it would be hidden and next thing you know, everyone knows my password. I suppose you could say I'm a bad person for using my login password on my virtual machine's install, but I want something easy to remember. It could very easily be something else but the point is, I didn't expect to be showing that password to anyone, even with others viewing my screen.

Obligatory bash.org (2, Funny)

Anonymous Coward | about a year ago | (#43628707)

Re:Obligatory bash.org (1)

erroneus (253617) | about a year ago | (#43628843)

That's one of the funniest things I've seen in a while. Thanks!

Progress and Innivation (1)

foobsr (693224) | about a year ago | (#43628709)

I suppose this is the point where MBA skills have overcome insight within the FOSS (or whatever) domain.

CC.

Windows 8 (5, Interesting)

scottnix (951749) | about a year ago | (#43628711)

I like the way Windows 8 addressed this problem. They added a button that looks like an eye on the right hand side of the password field to show the password as you've typed it. That seems like a better compromise than briefly showing the password characters.

Re:Windows 8 (5, Funny)

Anonymous Coward | about a year ago | (#43629041)

For mentioning a Microsoft product, we had to mod you down.

Presentations... (0)

Anonymous Coward | about a year ago | (#43628715)

What exactly are you supposed to do when you're demoing a product to a room full of people and need to log in using your credentials while they watch? Happens to me all the time.

Re:Presentations... (1)

Neil_Brown (1568845) | about a year ago | (#43628741)

Unless you are installing a production system in front of a room of people, and then not changing the password afterwards, just carry on as usual:

Maintainers of the Anaconda installer in Fedora have taken it upon themselves to show passwords in plaintext on the screen as they are entered into the installer

one size may not fit all (2)

goddidit (988396) | about a year ago | (#43628721)

I think that this improves password usability and is a move to the right direction. Others should follow instead of making passwords even harder for the end users, the most insane counter examples are the websites that mask your username as well. However, there really should be a switch to toggle this behavior.

According to Peter Gutmann... (1)

gnasher719 (869701) | about a year ago | (#43628761)

1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.
2. Showing nothing of the password is bad. Some applications actually added random numbers of stars as you type, that is worse. Showing a single character is slightly useful. Dimming out a few characters is better.
3. People are very good at detecting that someone is looking over their shoulder.

Re:According to Peter Gutmann... (1)

tepples (727027) | about a year ago | (#43628837)

1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.

Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.

Re:According to Peter Gutmann... (1)

gnasher719 (869701) | about a year ago | (#43629501)

Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.

You are not thinking clearly. I said an application should disable display on external monitors or projectors while a password is entered. That means the application disables the monitor. An application for playing movies that _wanted_ to disable other monitors would just do that.

This ignores the fact that they wouldn't be able to convince me to rent movies on iTunes and pay them money if I couldn't watch them on my TV but only on my laptop.

Re:According to Peter Gutmann... (0)

Anonymous Coward | about a year ago | (#43628855)

1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.

Or, you know, just mask the password.

2. Showing nothing of the password is bad. Some applications actually added random numbers of stars as you type, that is worse. Showing a single character is slightly useful. Dimming out a few characters is better.

Even better, not showing anything. Or putting a genetic "typing" text to give you feedback that the application is actually receiving input, which is the only feedback you should ever have.

3. People are very good at detecting that someone is looking over their shoulder.

People are also really good at developing muscle memory. I can type my 30ish character-long password in seconds, without thinking about it. I have different passwords for every application and website, but I let a password manager handle that, I only need to remember the one complex password. In the very rare situation that I make a mistake, I type it all again. What problem is this trying to solve? Who in the hell has any problems typing a password because they can't see it?

this is a simple case of a (0)

Anonymous Coward | about a year ago | (#43628767)

Stupid developer not owning up to his mistake

Good. (5, Interesting)

Rational (1990) | about a year ago | (#43628779)

I hope it catches on. Just give me a tickbox if I want masking when in a public place.

Password (0)

Anonymous Coward | about a year ago | (#43628793)

So when I type 'password' for my password it will show it. Great news!

Re:Password (1)

Gaygirlie (1657131) | about a year ago | (#43628893)

So when I type 'password' for my password it will show it. Great news!

...in the INSTALLER.

On the bright side... (0)

Anonymous Coward | about a year ago | (#43628795)

I predict Ubuntu will release their own update that incorporates this.

And then we can all get along with the business of running Debian - who would never be so stupid as to pull crap like this.

Re:On the bright side... (0)

Anonymous Coward | about a year ago | (#43628857)

I predict Ubuntu will release their own update that incorporates this.

And then we can all get along with the business of running Debian - who would never be so stupid as to pull crap like this.

Considering Debian has foistered upon its users that shithole known as Gnome 3 I wouldn't put to much faith in them. Seems like the Linux community at large is affected bu the mad cow disease.
Rational decisions go out the windows; stupid, completely stupid decisions stay in. And since those decisions are declared "design decisions" whoo pee dee doo you're hosed. No chance of having them reverted.
What is so wrong by making "visibile password" OPT-IN ? Fucking jesus christ. No, it's better to just have the default as making the passwords visible. Damn idiots.
Let's throw all the self proclaimed designers out of the linux community. Nothing will be lost considering all the shit they have imposed soviet style over their users.

Re:On the bright side... (1)

I'm New Around Here (1154723) | about a year ago | (#43629453)

Let's throw all the self proclaimed designers out of the linux community. Nothing will be lost considering all the shit they have imposed soviet style over their users.

Or you could roll your own. Isn't the the biggest advantage of open source, that you have that final level of control?

why isn't there a flag? (2)

pz (113803) | about a year ago | (#43628831)

Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

Re:why isn't there a flag? (5, Funny)

cervesaebraciator (2352888) | about a year ago | (#43628889)

Many times I'd like to see my password in clear text (like when entering new passwords, to make sure they're correct). It would be convenient to have some way to temporarily turn off asterisk masking.

I solve this problem by making all my passwords ********.

no problem (5, Funny)

ssam (2723487) | about a year ago | (#43628895)

my password is '*********' so there will be no change for me

Re:no problem (0)

Anonymous Coward | about a year ago | (#43629067)

You use hunter2 too?

Re:no problem (0)

Dwedit (232252) | about a year ago | (#43629275)

You can go hunter2 my hunter2-ing hunter2.

Re:no problem (1)

jones_supa (887896) | about a year ago | (#43629303)

my password is '*********' so there will be no change for me

Seriously speaking, that (plain asterisks) might be a surprisingly strong password. It would be very weak if someone saw your keyboard, but otherwise, who would get the idea to try that? Even the automatic password crackers might not be prepared to check that one.

Re:no problem (1)

cervesaebraciator (2352888) | about a year ago | (#43629461)

Seriously speaking, that (plain asterisks) might once have been a surprisingly strong password.

FTFY. Cat's outta the bag now.

Re:no problem (1)

jones_supa (887896) | about a year ago | (#43629637)

That's true!

a compromise for public unmasking (1)

epine (68316) | about a year ago | (#43628927)

Password masking becomes increasingly annoying with password length, since any finger fumble becomes nearly impossible to back out with the correct number of backspace presses.

I could live with a masking system that replaced the usual * with a - when the current symbol is from the same symbol set as the previous symbol.

The password in the first line would display with the following mask.

ima6uldv8!!!
*--**---**--

For myself anyway, that would put the backspace key "back on the menu" after a finger blap.

I'd be totally happy if the enhanced unmasking only kicked in after the first eight characters.

Re:a compromise for public unmasking (1)

epine (68316) | about a year ago | (#43628965)

Addendum:

It occurs to me that this definition could be modified so that a password all in a single symbol set always displays with only the * character, in addition to the new unmasking only kicking in after the first eight characters, if we wish to keep our fancy logic out from under the dim perceptions and loud scrutiny of the fangle haters.

The symbol would display as - only if different than the preceding character's symbol set. The first character would always display as *.

Re:a compromise for public unmasking (1)

flayzernax (1060680) | about a year ago | (#43629239)

Linux is about options and this takes the option away.

When you have increasing issues of password masking the best way is to have two input fields and train the user (this is an ADMIN anyway) to not copypaste.

Passwords should be long, they should be phrases, with alphanumerics, these are the hardest to crack passwords even if they have a lot of dictionary words. It's a lot harder to crack a 10 word phrase then a 12 letter pure alphanumeric that someone has to right down to remember.

If your using the phrase approach, then it's actually easy to not have to worry about the mask at all, as most people can consistently type the same phrase 10 times in a row. This is the most ideal solution in our imperfect world without perfect memory and direct brain to computer interfaces.

I don't know my passwords (0)

Anonymous Coward | about a year ago | (#43628947)

I don't know my passwords, only my fingers do, they are too difficult to remember. I don't see how plaintext should help me typing them, even if I knew them, they contain several combinations of similar looking characters and numbers, so it would be more distracting to look at what I am typing. It's like the keyboard, what's written on the keys disturbs more than it helps.

Stupid decision (2)

sootman (158191) | about a year ago | (#43628969)

Regardless of whether an idea is good or bad, you should not change decades-old conventions lightly. The proper thing to do at this time is to mask by default and have a checkbox nearby that lets the user choose to show the password.

Clearly... (0)

Anonymous Coward | about a year ago | (#43629047)

We're in the age of "loudest designer/developer wins - and to hell with the consequences of actual usability"

Fedora 18 (1)

Anonymous Coward | about a year ago | (#43629097)

I need some of the upstream stuff for what I do. So, I upgraded to F18 (PAE).
The experience has been mostly what I've expected with silly things broken:
LVM + LUKs doesn't boot, gnome-terminal auto-resize to nothing in KDE,
pulseaudio's clicks/pops (even with load-module module-switch-on-port-available
commented out), terrible, terrible installer. But the core stuff of KDE seemed
pretty okay. ...until I updated to the latest KDE. Now, everything freezes briefly when a
windows focus changes, what was once very smooth motion is now jerky and stuttery.

It's like the Fedora project is beginning to implode on itself. No regression testing,
no thinking about how a feature impacts other systems, and so on.

I honestly can't see any reason/value why the password's visibility had to change.
How about making the installer more robust instead of doing non-value-added things
like this and calling them features?

How about cameras? (1)

devent (1627873) | about a year ago | (#43629225)

Not only Shoulder surfing, but also security cameras.
It would not be nice if I go to Internet cafés, and the web form will show to all people my passwords in clear.

Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it.

That is not good with security cameras or other cameras, like web cameras, or mobile phone cameras, which are quite common in public places like Internet cafés.

PS: I referring to the article of Bruce Schneier: http://www.out-law.com/page-10152 [out-law.com] not the article about Fedora. I know that it's very uncommon to install Fedora in public Internet cafés.

Keyboard layout (1)

hene (866198) | about a year ago | (#43629245)

Few times I have installed OS with wrong keyboard layout. This is not big problem normally. But when you switch your layout after install. You better to remember run passwd too. At least if you have many special characters in your password. Luckily I had one root shell open both times. Visible password would have prevented this close call.

It's about time (0)

Anonymous Coward | about a year ago | (#43629335)

Back in the pre-historic days of computing, you had a "terminal" and this thing lived basically in front of everybody because you had to share it. That's why password fields started showing up masked. There were too many people around and it was difficult to cover up your password. This is no longer the case and this change is the first step I've seen on an OS that recognizes this practice is no longer needed.

Solved problem (0)

Anonymous Coward | about a year ago | (#43629387)

This is a solved problem on Android.

I've noticed some apps have a "Show Password" checkbox so the user can choose.

Or they show the last character typed for about 2 seconds before changing it to an asterisk.

Either way is superior to always showing the password or asterisks.

My anaconda (0)

Anonymous Coward | about a year ago | (#43629499)

My anaconda don't want none unless it's not masked son!

reality vs belief (2)

brainscauseminds (1865962) | about a year ago | (#43629549)

"... decided that it is not a security risk to show passwords on your screen in the latest Alpha release of Fedora 19 ..." Security risks is not something that can be "decided" by somebody. There are always risks and showing the password on plain text is certainly more risky than masking it. Or are there some really awesome benefits for showing them in plain. No. Because noone expects that, so both usability and security suffer.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...