Bug 984320

Summary: lightdm-gtk makes passwords visible
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: lightdm-gtkAssignee: Rex Dieter <rdieter>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: christoph.wickert, dan.mashal, gregor, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-14 13:53:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Jaegermann 2013-07-14 21:50:42 UTC 
Description of problem:

Typing a password into a greeter after an update to lightdm-gtk-1.6.0-1.fc20.x86_64 makes this password visible for anybody around who would like to read it.  Hardly desirable and/or wise.

Version-Release number of selected component (if applicable):
lightdm-gtk-1.6.0-1.fc20

How reproducible:
always

Expected results:
Nothing chaning on a screen when typing a password.  Ever "masking" typed characters with bullets discloses an information about a password length.
Comment 1 Christoph Wickert 2013-07-14 23:48:11 UTC 
I am using lightdm-gtk 1.6.0-1.fc19 (note f19 vs. f20) and cannot confirm your problem. The password is correctly masked with bullets. Even if you don't like it, this is common behavior in all graphical applications across all OSes and I think it makes sense as users need a form of feedback.

just to make sure I understand you correctly: Are you seeing the plain text password in the greeter?
Comment 2 Michal Jaegermann 2013-07-15 02:40:03 UTC 
(In reply to Christoph Wickert from comment #1)

> just to make sure I understand you correctly: Are you seeing the plain text
> password in the greeter?

Yes, that is exactly what I am seeing.  To my great surprise, I should add. On a request I may attach a picture.  BTW - a correct password is accepted and I am logged in.

A side remark about masking with bullets only meant that using such thing discloses a private information too.  It is definitely better than a plain text but a wrong thing to do as well.  Such bad behaviour is far from universal.
Comment 3 Rex Dieter 2013-07-15 11:52:11 UTC 
To be clear, bullet passwords are not a bug, it's by design.  Let's stay focused on the bug as described here, clear-test passwords.
Comment 4 Rex Dieter 2013-08-14 13:53:32 UTC 
It's a gtk3 issue, see bug #994237

*** This bug has been marked as a duplicate of bug 994237 ***