Bug 958608

Summary: password input shown as clear text
Product: [Fedora] Fedora Reporter: Jens Petersen <petersen>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: anaconda-maint-list, atigro, awilliam, bitlord0xff, bmarkovic.79, bugzilla, cfeller, danielbelton, dan.mashal, degts, dev, gholms, g.kaviyarasu, hans, iweiss, jonathan, jstodola, lmacken, lsatenstein, me, metherid, mfabian, mitr, mkolman, mrunge, mvadkert, nix.sasl, nonamedotc, peter, praiskup, pwouters, rcyriac, rdieter, rjones, rmarko, robatino, satellitgo, sbueno, stefw, toracat, vanmeeuwen+fedora, vpodzime
Target Milestone: ---Keywords: Reopened, Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-19.25-1.fc19 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
: 963212 (view as bug list) Environment:
Last Closed: 2013-05-15 17:27:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 963212    

Description Jens Petersen 2013-05-02 03:49:46 UTC
Description of problem:
On the root password page the password in the confirmation
field is visible as plaintext.

Version-Release number of selected component (if applicable):
F19 TC2
anaconda-19.23-1.fc19 (I think)

Steps to Reproduce:
1. go to root password spoke during installation
2. input root password and confirm input
  
Actual results:
2. confirmation field is in plaintext

Expected results:
2. confirmation field text to be concealed like first field.

Comment 1 Andre Robatino 2013-05-02 04:04:35 UTC
I see this when creating either root or user password. The password is visible while inside the box, turns to asterisks if you go outside the box, and becomes visible again if you go back into the box. It happens on GUI install from either the 32- or 64-bit DVD. I haven't checked the netinsts.

Comment 2 Jens Petersen 2013-05-02 04:28:46 UTC
Right - I dunno if this is intended to be a feature.

Anyway I think it would much better to have a checkbox
to enable this ("[ ] Show password") - with the default
being not to show the password text explicitly.

Comment 3 Branko Grubić 2013-05-02 09:12:08 UTC
I see this also when I want to unlock my LUKS device, using manual partitioning. 
using Beta-TC2 x86_64 netinstall image.

Comment 4 Matthias Runge 2013-05-02 09:27:53 UTC
For user creation, the password is shown, too. I like the proposal from #c2 very much, as it don't breaks with earlier behaviour, but still enables to show the typed password.

Comment 5 Chris Lumens 2013-05-02 13:48:13 UTC
This is working exactly as it is intended.  The passwords are only visible while they are focused.  As soon as you unfocus a field, the password is hidden.  This is a pattern that is becoming more and more widely used, and it makes sense.  Hiding the password as you type doesn't actually do anything for security, as anyone watching your monitor could just watch your keyboard instead.  There's quite a few papers about this right now.

Showing the password as it is typed solves all the keyboard layout related problems, and in a way that does not require yet another widget which needs layout, translation, and all that kind of stuff.

Comment 6 Andre Robatino 2013-05-02 13:59:14 UTC
Your explanation sounds mostly reasonable, but I'm still concerned about the fact that the focus isn't always intentional, and the user might not immediately notice it. For example, if you use a weak password, and click Done, the focus goes back to one of the password windows and you have to click on Done again for it to take. Could the focus stay on Done, so that doesn't happen?

Comment 7 Andre Robatino 2013-05-03 14:52:49 UTC
Filed https://bugzilla.redhat.com/show_bug.cgi?id=959463 for focus going into password box unexpectedly.

Comment 8 Chris Lumens 2013-05-03 18:13:23 UTC
*** Bug 959541 has been marked as a duplicate of this bug. ***

Comment 9 Dan Mashal 2013-05-03 18:16:02 UTC
(In reply to comment #5)
>This is a pattern that is becoming more and more widely used.

Where?

What's being more widely used is an icon you click on to show the password next to the field.

>Hiding the password as you type doesn't actually do
> anything for security, as anyone watching your monitor could just watch your
> keyboard instead.  

Not if you're a fast typer.

>There's quite a few papers about this right now.

Link?
 
> Showing the password as it is typed solves all the keyboard layout related
> problems 

How?

>and in a way that does not require yet another widget which needs
> layout, translation, and all that kind of stuff.

Comment 10 Chris Lumens 2013-05-03 18:23:51 UTC
> >This is a pattern that is becoming more and more widely used.
> 
> Where?

Searching for "show password on focus" reveals quite a few answers.

> >Hiding the password as you type doesn't actually do
> > anything for security, as anyone watching your monitor could just watch your
> > keyboard instead.  
> 
> Not if you're a fast typer.

Okay, I'll record your typing with my phone and play it back slower later.  Typing speed has nothing to do with anything.

> >There's quite a few papers about this right now.
> 
> Link?

Use google?

> > Showing the password as it is typed solves all the keyboard layout related
> > problems 
> 
> How?
> 
> >and in a way that does not require yet another widget which needs
> > layout, translation, and all that kind of stuff.

Ah, see, you just ignored the second piece of the statement there.

Comment 11 Dan Mashal 2013-05-03 18:56:43 UTC
(In reply to comment #10)
> > >This is a pattern that is becoming more and more widely used.
> > 
> > Where?
> 
> Searching for "show password on focus" reveals quite a few answers.
> 
> > >Hiding the password as you type doesn't actually do
> > > anything for security, as anyone watching your monitor could just watch your
> > > keyboard instead.  
> > 
> > Not if you're a fast typer.
> 
> Okay, I'll record your typing with my phone and play it back slower later. 
> Typing speed has nothing to do with anything.
> 
> > >There's quite a few papers about this right now.
> > 
> > Link?
> 
> Use google?
> 
> > > Showing the password as it is typed solves all the keyboard layout related
> > > problems 
> > 
> > How?
> > 
> > >and in a way that does not require yet another widget which needs
> > > layout, translation, and all that kind of stuff.
> 
> Ah, see, you just ignored the second piece of the statement there.

And you ignored "What's being more widely used is an icon you click on to show the password next to the field."

> Okay, I'll record your typing with my phone and play it back slower later. 
> Typing speed has nothing to do with anything.

I'd like to try this experiment with a really long password and see how long it takes you to decrypt it.

Obviously this is one of those "great UI improvement" decisions you have made that you don't plan on fixing. Is that correct?

Comment 12 Dan Mashal 2013-05-03 18:57:40 UTC
(In reply to comment #11)
> Obviously this is one of those "great UI improvement" decisions you have
> made that you don't plan on fixing. Is that correct?

If so please close as WONTFIX

Comment 13 Chris Murphy 2013-05-03 22:29:45 UTC
(In reply to comment #10)
> Searching for "show password on focus" reveals quite a few answers.

In google, that phrase reveals quite a few user scripts and utilities for doing this. No papers.

In google scholar, it yields no results at all.


> Okay, I'll record your typing with my phone and play it back slower later.

You admit that discovery of the password isn't immediate, by requiring a.) playback, b.) slower, c.) later. The discovery of a plaintext password requires none of these things if the password is even remotely memorable. It's significantly higher chance of successful capture, whether viewed or recorded; compared to a potential capture if viewed or recorded by looking at someone's fingers.


> > Link?
> 
> Use google?

I've spent about 15 minutes on this, which is 10 minutes too long, and I'm not finding anything compelling at all.

A single visible character, delayed transition to obscuring bullet, used on mobile platforms, seems reasonable. Even that effectively guarantees password discovery if the event is recorded, whereas it's merely a potential with no guarantee, if the characters never appear on-screen.

Anyway, I find the argument in favor of this behavior to be specious.

Comment 14 Andre Robatino 2013-05-03 22:40:30 UTC
(In reply to comment #13)
> (In reply to comment #10)
> > Searching for "show password on focus" reveals quite a few answers.
> 
> In google, that phrase reveals quite a few user scripts and utilities for
> doing this. No papers.
> 
> In google scholar, it yields no results at all.

On https://addons.mozilla.org/En-us/firefox/addon/show-password/ , I found links to several blog posts by famous people, including Bruce Schneier (who is revered by many as a god). That's probably as close to a formal paper as there is.

Comment 15 Chris Murphy 2013-05-03 22:52:57 UTC
He recanted.
http://www.out-law.com/page-10152

Comment 16 Adam Williamson 2013-05-03 22:58:33 UTC
This whole hoohaa doesn't excite me overmuch, probably because I don't tend to do installs in public, but for what it's worth, from that link cmurf posted:

"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "That seems like an excellent compromise," he said."

That's definitely the implementation I've seen in the real world - show one character at a time, either just for a brief moment or until you enter the next one. I can't think of a remotely reputable 'real world' implementation I've seen which only masked when the field was inactive.

Comment 17 Rahul Sundaram 2013-05-04 01:45:13 UTC
*** Bug 959541 has been marked as a duplicate of this bug. ***

Comment 18 Rahul Sundaram 2013-05-04 01:45:41 UTC
Reopening this.  I haven't seen a single paper advocating for this or even a single software do what Anaconda is doing here.  Sometimes, you have an option to show passwords and that would be a nice thing to have and mobile UI might show one character at a time when typing (but only because it is very easy to mistype in a cramped screen) but there is no precedent for showing the entire password when the widget is focused.  Please rethink this.  Thanks

Comment 19 Dan Mashal 2013-05-04 03:43:07 UTC
(In reply to comment #10)
> > >This is a pattern that is becoming more and more widely used.
> > 
> > Where?
> 
> Searching for "show password on focus" reveals quite a few answers.
> 
> > >Hiding the password as you type doesn't actually do
> > > anything for security, as anyone watching your monitor could just watch your
> > > keyboard instead.  
> > 
> > Not if you're a fast typer.
> 
> Okay, I'll record your typing with my phone and play it back slower later. 
> Typing speed has nothing to do with anything.
> 
> > >There's quite a few papers about this right now.
> > 
> > Link?
> 
> Use google?
> 
> > > Showing the password as it is typed solves all the keyboard layout related
> > > problems 
> > 
> > How?
> > 
> > >and in a way that does not require yet another widget which needs
> > > layout, translation, and all that kind of stuff.
> 
> Ah, see, you just ignored the second piece of the statement there.

Ah see, now there's a whole thread on devel that disagrees with you and someone else reopened this.

http://lists.fedoraproject.org/pipermail/devel/2013-May/thread.html#182196

Comment 20 Stef Walter 2013-05-04 07:21:51 UTC
(In reply to comment #16)
> This whole hoohaa doesn't excite me overmuch, probably because I don't tend
> to do installs in public, but for what it's worth, from that link cmurf
> posted:
> 
> "Schneier now backs an approach taken by BlackBerry devices and iPhones,
> which display each character briefly before masking it. "That seems like an
> excellent compromise," he said."
> 
> That's definitely the implementation I've seen in the real world - show one
> character at a time, either just for a brief moment or until you enter the
> next one. I can't think of a remotely reputable 'real world' implementation
> I've seen which only masked when the field was inactive.

FWIW, GTK+ can do this with its "gtk-entry-password-hint-timeout" setting.

Comment 21 Felix Miata 2013-05-04 11:56:07 UTC
Apparent justification:
http://uxmovement.com/forms/why-password-masking-can-hurt-your-sign-up-form/

Comment 22 Paul Wouters 2013-05-04 16:36:35 UTC
a phone is a not a desktop. Showing the password while in focus during install of fedora is bad.

The reason for showing the whole password or only the last letter on a phone is because you are using a virtual keyboard with a much higher error rate.

Comment 23 Daniel Belton 2013-05-05 17:11:03 UTC
I wonder if anyone has thought about some of the government installations where displaying any kind of password can become a criminal offense? 

At the very least, I would run this by the Redhat security guys before thinking about implementing it.

Comment 24 Dan Mashal 2013-05-05 23:44:25 UTC
(In reply to comment #23)
> I wonder if anyone has thought about some of the government installations
> where displaying any kind of password can become a criminal offense? 
> 
> At the very least, I would run this by the Redhat security guys before
> thinking about implementing it.

Of course not. 

Can you please provide any links you might have handy so that this serious isssue is documented in this bug?

Thanks.

Comment 25 Leslie Satenstein 2013-05-06 03:46:18 UTC
Why is this an issue. I find no problem with it.
For example,
In doing the anaconda installation of Fedora or RedHat, you are installing a new linux system.
I just give anaconada the root password 12345. However
On first boot, I log into root and change the password to the ultimate one.

There is a benefit to me vis.

I can give someone the task of installing Fedora, tell him/her to use 12345 as a password, and when it is done, After reboot, I long into root and create a new password, as well as users.

Where is the lost of security.  Do you think that The linux system with the new password, created at boot time, is compromised?

Comment 26 Peter Ajamian 2013-05-06 04:41:09 UTC
(In reply to comment #25)
> I can give someone the task of installing Fedora, tell him/her to use 12345
> as a password, and when it is done, After reboot, I long into root and
> create a new password, as well as users.

You could do that before, masking the password does not change the ability for you to do that.

> Where is the lost of security.  Do you think that The linux system with the
> new password, created at boot time, is compromised?

Well apparently you think that everyone should change their password right after installing a new system.  Doesn't that negate the point of setting the password to begin with?  If we're going to start mandating this then what's the point of asking for a password at all.

If you're going to ask for a password during the install phase then such a simple standard security practise of masking the password shouldn't even be an issue, it should just be done.

Comment 27 Valent Turkovic 2013-05-06 09:22:49 UTC
(In reply to comment #25)
> Why is this an issue. I find no problem with it.
> For example,
> In doing the anaconda installation of Fedora or RedHat, you are installing a
> new linux system.
> I just give anaconada the root password 12345. However
> On first boot, I log into root and change the password to the ultimate one.
> 
> There is a benefit to me vis.
> 
> I can give someone the task of installing Fedora, tell him/her to use 12345
> as a password, and when it is done, After reboot, I long into root and
> create a new password, as well as users.
> 
> Where is the lost of security.  Do you think that The linux system with the
> new password, created at boot time, is compromised?

Please say you are joking.

Comment 28 Bojan Markovic 2013-05-06 11:24:23 UTC
There is simply no sane justification for breaking UX in such a way even if we disregard the (yes, somewhat dubious) security benefits from a previous practice. Standard practice has become masked by default, with an unmasking widget. Alternatively masked by default apart from the last character, with an unmasking widget.

Comment 29 Pavel Raiskup 2013-05-06 12:02:20 UTC
I could agree with having an _explicit_ check "show password" but I would allow
that *ONLY* before I start writing the password - not after.

Comment 30 Leslie Satenstein 2013-05-06 14:50:20 UTC
Here is my addition to comment 25
I install with two full time keyboards.  One has USA English / Canadian French, 
while the second is Latin American (latam)

I do add the keyboard layouts, but there was a problem in the past where. when I entered #@$?() as part of a secure password, that I would have a problem logging into the system immediately after a reboot.

The reason-- # is in a different place on each keyboard layout.
             @ is in a different place on each keyboard layout
etc.
on reboot, did I enter \ (USA English, or # (Canadian French) or
pipe or ? if I had latim layout.

By performing the linux password setup after reboot, the problem for me is and was installed.

By the way, 12345 is in the same location on all three layouts.

Comment 33 Adam Williamson 2013-05-06 21:38:24 UTC
For those curious as to what was changed here:

commit da565b769979a031f318dbc727b9888e4f1fb37c
Author: Chris Lumens <clumens>
Date:   Mon May 6 17:18:30 2013 -0400

    Revert "Add signal handlers for controlling password entry visibility." (#95
    
    This reverts commit 99464761dab4e43cfbf8caa059815c6ab67c6282.

So as things stand, we're back to old-skool masking. I don't know if the devs plan to investigate the alternatives that were proposed.

Comment 34 Rahul Sundaram 2013-05-07 02:10:14 UTC
Chris, thanks for the quick response.

Comment 35 Chris Lumens 2013-05-07 14:23:55 UTC
*** Bug 960451 has been marked as a duplicate of this bug. ***

Comment 39 Fedora Update System 2013-05-10 00:51:58 UTC
anaconda-19.25-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/anaconda-19.25-1.fc19

Comment 40 Fedora Update System 2013-05-10 15:30:06 UTC
Package anaconda-19.25-1.fc19, python-blivet-0.13-1.fc19, pykickstart-1.99.30-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-19.25-1.fc19 python-blivet-0.13-1.fc19 pykickstart-1.99.30-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7834/python-blivet-0.13-1.fc19,pykickstart-1.99.30-1.fc19,anaconda-19.25-1.fc19
then log in and leave karma (feedback).

Comment 41 Fedora Update System 2013-05-15 17:27:57 UTC
anaconda-19.25-1.fc19, python-blivet-0.13-1.fc19, pykickstart-1.99.30-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.