Propose your solution
Attachments
Duplicates
Comments
|
|
|
Some thing needs to be done. My DELL LATITUDE D610 with Ubuntu (latest updates) dues exactly the same.
|
|
Ssdg
wrote on the 14 Jul 08 at 17:23
|
|
|
It's a security feature, so someone looking at your screen won't discover your password length, so someone can't know when a key is pressed.
(But I'd like to see this as an option in the graphical password fields)
|
|
acreman
wrote on the 14 Jul 08 at 17:24
|
|
|
|
This happens in all versions of Linux and Unix. I guess it is to keep people from seeing how long your password is.
|
aysiu
(Brainstorm moderator)
wrote on the 14 Jul 08 at 17:26
|
|
|
It's not a security feature. It's a tradition that won't change because it's too hard to fix. If it were really a security feature, there wouldn't be black dots for GUI authentication dialogues, either.
"(But I'd like to see this as an option in the graphical password fields)"
See? Inconsistent. Has nothing to do with "security."
If someone's looking over your shoulder, she can count (by listening) how many keys you pressed when typing, or at least look at what keys you're pressing and see three or four of them.
Unfortunately, I've already brought this up with the developer's and they're not going to implement this.
|
|
Sidney
wrote on the 14 Jul 08 at 17:37
|
|
|
Accept it, it is a a security feature. GDM can enable this mode, too.
Also, just by listening, it is very hard to be sure how many keys were pressed, especially if you type fast. It is much easier to count the stars on the screen as human beings can grasp a low number without conscious counting.
And if someone's looking over your shoulder when you enter your password, you should be shooing them away anyways ;-).
|
|
|
It's useful for camera systems. Password thieves are using cameras to stole passwords from banks in my city :-p
But mybe it could be an option or at least a message could be displayed warning the user about what is happening.
Just like when you type with caps lock active! it could warn you like: "Secure mode on: Typing passwords will not show characters. Please don't cry" :-p
|
|
|
This is a security feature.
Though, I remember reading about some guy who installed Linux like 5 times, and thought it didn't work.
|
|
|
|
Perhaps there should be a configuration options for this...
|
|
Auzy
wrote on the 15 Jul 08 at 00:56
|
|
|
It isn't a bug, like people are saying, its a security feature.
But I agree with Bert.ubuntu, maybe a message should be shown with sudo that nothing will be shown on the screen as you type
|
|
aysiu
(Brainstorm moderator)
wrote on the 15 Jul 08 at 01:31
|
|
|
|
Since people seem to sincerely believe this is a security feature, I hope you all vote up the idea I'm going to post, which is to remove the black circles as password feedback for GUI operations.
|
|
Auzy
wrote on the 15 Jul 08 at 05:46
|
|
|
|
Aysiu, we also agreed that the best way of going about it was explicitly posting a statement that password hashes will not be shown.
|
|
aysiu
(Brainstorm moderator)
wrote on the 15 Jul 08 at 06:20
|
|
|
|
That isn't really the ideal solution, since this is apparently "a security issue" (if it really were a "security issue," it should be secure all around, not just for some applications), but at least that would stop some new users from getting confused.
|
|
zeb3000
wrote on the 15 Jul 08 at 13:00
|
|
|
|
I think that many users here vote conservative. They like what the have and they don't understand the need to change. Many also vote with respect to the amount of work needed to implement the idea. That should explain why both of your ideas are voted down. This kind of voting isn't really helpful if you wanna find solutions for long term improvement. Actually, I'm not even sure it is positive to be able to cast negative votes.
|
|
aysiu
(Brainstorm moderator)
wrote on the 15 Jul 08 at 15:06
|
|
|
Actually, if people just were honest about it and said, "Hey, it isn't a security issue. We just pretend it is. But it's too much work to change, and we just don't care," I'd respect their answers more.
I think you're right, though. I think people are just conservative and not open to change, even if the change makes sense.
|
|
insub2
wrote on the 15 Jul 08 at 15:35
|
|
|
Aww phooey.
This is a User Interface issue.
Ubuntu is supposed to be linux for human beings, right? When a human interacts with a computer they expect some sort of feedback so that they know the computer is responding. **** appears for passwords in the GUI for that very reason. It happens in Windows, Mac, on web pages. It is expected by any user new to the command line. I don't really accept the security argument* but for sake of compromise, there should at the very least be a warning as burt.ubuntu suggested.
*Here is why: It's not a very good security feature since it's the same password one uses to login to the system--through a GUI with the *** displayed. Or when the user installs updates. Or new software through Add/Remove or Synaptic. The lack of consistency negates the security benefits.
And how many people here really need that level of security? I know I don't.
|
|
Endolith
wrote on the 22 Aug 08 at 13:47
|
|
|
|
This is not a security feature.
|
|
arand
wrote on the 2 Dec 08 at 13:36
|
|
|
It is a security feature, albeit more relevant when looking at the history of Unix.
Looking back at the time when your output was printed out on physical paper, it makes a lot of sense to not print out asterisks so that anyone shuffling through the printout would be able to see the length of your password.
And it does make some sense in this aspect, still, since, although as far as I know the whole "password:*" paragraph is omitted from the bash history file, the asterisks would stay in the current terminal until you closed it, so there would still be a chance for someone to count characters, even though you were not currently typing it out.
Taking into account this it _does indeed_ make some sense to stick with no feedback for terminal, whereas you have feedback for graphical passwords, since graphical passwords are only shown whilst you are typing them.
Now. As to whether this little bit of security outweighs the user-friendliness can be discussed. A warning, at least the first time you type a password like this, would probably be a good idea.
- Arand
|
|
arand
wrote on the 3 Dec 08 at 01:07
|
|
|
@AndrewLuecke:
I can't see _that_ changing in a looong while. GNU/Linux breathes through its CLI...
Unless we want to make freeOSX, I guess...
I personally like the way the CLI does passwords, because it gives an undefinable happy GNU/Linux feel. But for Ubuntu and its philosphy I'll think I have to agree on that it may not the best choice to stick with...
Would it be possible to use asterisks whilst typing in CLI and then immediately blank it out once you press enter? That way the security aspect (at least the one I pointed out) would be kept and it would work very much the same as the graphical password.
- Arand
|
|
m_gol
wrote on the 12 Jan 09 at 08:28
|
|
|
I don't understand the whole mess.
OK, somebody can know how many symbols I have in my password. So? Should I worry? Come on, people - number of passwords containing *exactly* n signs is *nearly the same* (as a proportion) as number of passwords containing *not more* than n passwords... See my calculations in comments to this dup:
http://brainstorm.ubuntu.com/idea/17189/
I could understand that it can be hard to implement due to some historical reasons etc., but this whole "security" reasoning is just funny.
|
|
Endolith
wrote on the 12 Jan 09 at 16:01
|
|
|
"Unless we want to make freeOSX, I guess... "
Uhh... isn't that the whole point?
|
|
aysiu
(Brainstorm moderator)
wrote on the 16 Nov 09 at 22:05
|
|
|
It doesn't make sense that both this idea and the idea to remove visual feedback from the GUI would be voted down with the constant repeated nonsense about it being a "security feature."
If showing dots or asterisks compromises security, they should never be shown (even in the GUI).
If they do not compromise security, they should be shown (even in the CLI) for consistency's sake so as not to confuse new users.
|
Post your comment
|
Ubuntuforums.org thread #214393
