The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
Somebody tell Apple to fix the login screen for MacOS as well. If your password is longer than the incredibly narrow box, you do not get any additional feedback that your characters are being entered.
Combine that with a flaky keyboard (say from a single grain of dust where it shouldn’t be) and you get a very annoying login experience. Over and over…
Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.
Why not just display a single character out of a changing set of characters such as
/ - \ |
(starting with a random one from the set) after every character entered?
That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.
I like the idea of showing keystrokes, but I think that a 1:1 entry has arguably better alternatives.
The default entry on xsecurelock[^0] shows a character jumping on a line between keystrokes, which works well on giving key press feedback while visibly obfuscating password length,
________|_______________________ // after pressing a key it'd move around,
___________________|____________
Also, for anyone looking into preserving this last resort obfuscation behaviour you can do it with,
I've got to say, if you were able to see me typing, you can probably record me doing so, bug my USB keyboard, or buy a $10 wrench. I guess for people streaming it might be worth it? I don't think it's a big enough deal to warrant the fuss around this change though, it's just an ok UX improvement that could be slightly better at retaining the sense of security.
Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.
They could have just made it an option to enable the new behavior. There was no need to change the default.
As for security: 'shoulder surfing' may not be as much of a concern, but watching a livestream or presentation of someone who uses sudo will now expose the password length over the internet (and it's recorded for posterity, so all the hackers can find it later!). They've just introduced a new vulnerability to the remote world.
So, the article says that sudo hid the password by default because of shared terminals and so on.
I would've thought it would've been a simple carry over from before terminals were glass. Like, yeah, I get up from a glass terminal and someone else goes to use it, but wouldn't the scrollback be cleared when I log out? But silent logins from before glass terminals makes a ton of sense; it would literally print your typed characters on a real, physical medium. having
login: cool_user
password: hunter2
sitting on a printout in a trash can? Yeah, obvious security issue.
I dunno, I take them at their word but if you had asked me why password prompts in the terminal don't echo, I would've guessed it was a carry-over from the days of real teletype terminals.
I feel this is a good change as it also emphasizes window/terminal focus is at correct place and user do not unintentionally type the password to another focused place (chat etc.)
Silent sudo passwords are not a real problem. I wouldn't give up the slightest whiff of security over them. This is one of the things that I see that I have a minority position on, and it lowers my general opinion of humanity.
It's on brand for Ubuntu, though. They've been looking for an audience that is not me for a very long time. I sometimes worry about Debian's resistance to social pressure, though. It seems that Debian doesn't fall for marketing or corporate pressure, but they sometimes fall when they are surrounded by people who have fallen for marketing or corporate pressure.
How much information is there in knowing the length of someone's password?
If we know the password's length, it saves us from guessing any shorter passwords. For example, for a numeric password, knowing the length is 4 saves us from having to guess [blank], 0-9, 00-99 and 000-999. This lowers the number of possibilities from 1111 to 1000. The password has 90% of it's original strength. A [0-9a-zA-Z] password retains 98% of it's original strength
I'm glad to see this change. This was already the case for GUI password prompts, and I'm happy to see terminals following suit.
This wasn't someone seeing Chesterton's fence and deciding to knock it down thoughtlessly. This is a change that someone can in fact think all the way through and say "yeah, this should be changed, it's an improvement and doesn't cause any meaningful reduction in security".
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
403 comments
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
Combine that with a flaky keyboard (say from a single grain of dust where it shouldn’t be) and you get a very annoying login experience. Over and over…
----
For KDE:
insert in: then reboot.----
For
Insert/replacesudo:Defaultswith: ----For GNOME, you have to modify
And do one of the following (version-specific): or in newer version, replaceunlockDialog.jsecho_charwithnull. Reboot required.The default entry on xsecurelock[^0] shows a character jumping on a line between keystrokes, which works well on giving key press feedback while visibly obfuscating password length,
Also, for anyone looking into preserving this last resort obfuscation behaviour you can do it with, On NixOS (using sudo-rs), I've got to say, if you were able to see me typing, you can probably record me doing so, bug my USB keyboard, or buy a $10 wrench. I guess for people streaming it might be worth it? I don't think it's a big enough deal to warrant the fuss around this change though, it's just an ok UX improvement that could be slightly better at retaining the sense of security.[^0]: https://github.com/google/xsecurelock#options
As for security: 'shoulder surfing' may not be as much of a concern, but watching a livestream or presentation of someone who uses sudo will now expose the password length over the internet (and it's recorded for posterity, so all the hackers can find it later!). They've just introduced a new vulnerability to the remote world.
I would've thought it would've been a simple carry over from before terminals were glass. Like, yeah, I get up from a glass terminal and someone else goes to use it, but wouldn't the scrollback be cleared when I log out? But silent logins from before glass terminals makes a ton of sense; it would literally print your typed characters on a real, physical medium. having
sitting on a printout in a trash can? Yeah, obvious security issue.I dunno, I take them at their word but if you had asked me why password prompts in the terminal don't echo, I would've guessed it was a carry-over from the days of real teletype terminals.
It's on brand for Ubuntu, though. They've been looking for an audience that is not me for a very long time. I sometimes worry about Debian's resistance to social pressure, though. It seems that Debian doesn't fall for marketing or corporate pressure, but they sometimes fall when they are surrounded by people who have fallen for marketing or corporate pressure.
If we know the password's length, it saves us from guessing any shorter passwords. For example, for a numeric password, knowing the length is 4 saves us from having to guess [blank], 0-9, 00-99 and 000-999. This lowers the number of possibilities from 1111 to 1000. The password has 90% of it's original strength. A [0-9a-zA-Z] password retains 98% of it's original strength
This wasn't someone seeing Chesterton's fence and deciding to knock it down thoughtlessly. This is a change that someone can in fact think all the way through and say "yeah, this should be changed, it's an improvement and doesn't cause any meaningful reduction in security".
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If anyone wants to rewrite PAM in Rust... :-D
https://github.com/linux-pam/linux-pam/issues/778
I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.
apt install sudo-ws
apt remove coreutils-from-uutils --allow-remove-essential