It may have happened to you. You're typing a password in a web page, and suddenly, a window pops up, with a text field inside it, and since you did not notice it at once, you password displays in clear in the other window.

Many organisations, even if they are shifting over to an Ubuntu environment, will have many Windows PCs that need to be supported. Presently if you want to run a Windows Server Update Service (WSUS) you need to have a Windows Server (Microsoft). I believe being able to cache, test and deploy Windows Updates locally from the Ubuntu Update Server (Ubuntu Brainstorm) would be attractive to admins.

Many organisations, even if they are shifting over to an Ubuntu environment, may have a number of Apple computers that need to be supported. Presently if you want to run an Apple Software Update Server (Client Management, Mac OS X Server (Apple)) you need to have Apple's Mac OS X Server running on Apple hardware. I believe being able to cache, test and deploy Apple Software Updates locally from the Ubuntu Update Server (Ubuntu Brainstorm) would be attractive to admins.

Despite needing to enter your root password to alter such basic things as CPU Scaling, you are not once prompted to enter it to access the Passwords and Encryption Keyring. Anyone is able to view your stored MSN, Twitter, email and Wifi passwords in four simple clicks of the mouse from the desktop.

How to reproduce:

1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the 'Login' folder to drop down and view the programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

This is a security risk, and, because it is a conscious decision for design, not classified as a bug.

Here's the related Ubuntu Forums thread:
http://ubuntuforums.org/showthread.php?t=1302342

and, a post on omgubuntu.co.uk:

http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html

[....]

There are sometimes very critical security updates for applications (like the last Pidign-Update).

Unfortunately the Update Manager doesn't inform the user, that the update is only effective, if the application is restarted after it.

Since suspend-2-ram works for now on many computers, some applications are only seldom restarted (e.g. Pidgin may run for several weeks).

In the case of pidgin this is even a security risk, since an application with a security leak might run for several weeks until the last security fixes will apply.

If you go to install something via the software center, it installs it system-wide, which of course requires a password.

Now this is obviously annoying, but would also seem to also cause a security risk; if the user gets used to entering his password at any point, he may enter it when he has no idea why the dialog is there, allowing malware to get root access.

Of course, the password dialogs are a necessary part of security. But everything in the default repositories is known to be safe, and a password is required to add non-standard repos.

If you login on tty1, you are informed of failed login attempts since your last successful.

This sort of information can be useful.

Taking this further, and going back to this hack on OS X (http://www.macosxhints.com/article.php?story=2006120918170984), it could be an interesting idea to add an option to the login manager to warn you of failed connection attempts on your account and offer to capture pictures via the webcam on login failures (it clearly makes most sense on laptops).

This could be taken further by having the photo e-mailed or uploaded to a FTP server, which could be quite useful in case of computer theft.

This provides accountability of what happens to your computer when you're away and could help in case of theft.

The ancient protocol behind the VNC remote desktop system, RFB, only supports passwords 8 characters long. This means that any password is easily brute forced unless you use other criteria to make it secure (eg a mix of special characters, upper/lowercase letters and numbers.) This is the way that Vino, the GNOME VNC Server (System > Preferences > Remote Desktop,) and Vinagre, the GNOME VNC client, work for password authentication. (Vino also lets the local users manually approve connections.)

Currently, there is no way of knowing how secure a password is. This often leads to users making insecure passwords, which is a risk to security.

Since it seems like people are using the same passwords half across the internets and maybe even their own computer. :(

I would like to see a gnome applet that:

1. You use a master password. (One good, strong password to remember!) Even if this password is compromised, and thanks to the use of "description values", if this password is "lost", it do not threaten all your passwords.
You could even have an extra description values like "sausage"/"flower"/"badger", to get even higher security.

2. Generates your password through algorithms and descriptions on what you use it for. Site url/file/tags/etc. Plus possibilty to use extra personal values for heightened security.

3. _No storage_ of any passwords on disk. (No need for backup) Only descriptions is stored in a encrypted file. (See solution #2)

4. Should be easy to generate new strong passwords.

5. Should be able to autocomplete.

6. Should be useful when using another computer (Public/job) by use of "online" script, which is run locally from browser. Which is achieved by masterpassword + descriptions (as in the url+username/other values, for the site to access) As in: http://passwordmaker.org/passwordmaker.html

How it could work:
The password to use are generated by a master password and "description values" (url/username/tags/file/date/etc.) -> one way hash algorithm ( http://en.wikipedia.org/wiki/Cryptographic_hash_function )= message digest( http://www.rsa.com/rsalabs/node.asp?id=2176 )=password to use. READ ON PLEASE! :D

[....]