Do you think this is a security risk and if not is it a bad UI decision?

Oron Peled oron at actcom.co.il
Fri May 3 22:30:09 UTC 2013 

On Friday 03 May 2013 14:26:22 Dan Mashal wrote:
> ...
> And closed as NOTABUG.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=959541
> https://bugzilla.redhat.com/show_bug.cgi?id=958608

I've read through it and didn't know if I should lough or cry.

Before referring the subject matter: Are security-related decisions
taken without speaking with security-people first? (Dan Walsh? Any other?) 

But I'll try to analyze few of the points raised in the BR...

>> Hiding the password as you type doesn't actually do anything for
>> security, as anyone watching your monitor could just watch your
>> keyboard instead.

Not really:
 * The keyboard is much closer to the body and someone has to
    be *really close to me* to see it (even then it may be partly obscured).

 * On the other hand, a password on a monitor may be visible even to someone
   passing by for a split second (even by mistake) -- the exposure is orders of
   magnitude higher.

>> Not if you're a fast typer.
> Okay, I'll record your typing with my phone and play it back slower later. 
> Typing speed has nothing to do with anything.

Again:
 * Someone can easily record my screen from across the room (zoom)
 * How much of my keyboard they'd see from such a distance? Considering
   my back, elbows, palms (yes I type with 10 fingers) -- not much.

And here comes the best part...

> There's quite a few papers about this right now....
> ... and in a way that does not require yet another widget which needs
> layout, translation, and all that kind of stuff.

Passwords are really bad security mechanism (and you can find lot's of
papers describing their drawbacks). By this line of thought, maybe we
can get rid of the whole root password thingie...

This would save us at least 3 widgets (two text fields and a "done" button),
with all their layout, translation and all that kind of stuff.

OK, so that last one was a bad joke, just like exposing typed passwords...

-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://users.actcom.co.il/~oron
“If I have seen a little further it is by standing on the shoulders of Giants."
 --Isaac Newton.

More information about the devel mailing list