Do you think this is a security risk and if not is it a bad UI decision?

Eric Sandeen sandeen at redhat.com
Sat May 4 04:24:01 UTC 2013


On 5/3/13 10:58 PM, Matthew Garrett wrote:
> On Fri, May 03, 2013 at 08:52:25PM -0700, Dan Mashal wrote:
>> On Fri, May 3, 2013 at 8:51 PM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
>>> And if the maintainers feel more than justified in closing it again?
>>> Bugzilla isn't a discussion forum. If disagree with a deliberate policy
>>> decision, discuss it on an appropriate mailing list.
>>
>> Isn't that what we're doing? That's exactly the point of this email thread.
> 
> No, this isn't the most appropriate mailing list for the discussion - 
> anaconda-devel-list is a better choice if you want to interact with the 
> people who actually work on that code. In any case, I was disagreeing 
> with Rahul's assertion that he was justified in re-opening a bug merely 
> because he disagreed with a design choice.

Matthew, with all due respect the tone of the bug doesn't make me think
that there is a lot of interest in discussion from the developers.

Whether or not bugzilla was the right place to start it, the early
discussion went something like this, mostly paraphrased.

Q: This seems to be a bug.  My password is visible while I type it.  I'm surprised.
   Is this a bug?

A: It's not a bug.  It's intentional.  "There's quite a few papers about this right now."

Q: Link?

A: Google it.

At this point things may have turned a bit south.  If there is active research
or new thinking on this aspect of security, it should be part of the discussion.
If there's precedent, it's worth noting specifically.   That's the transparent,
open approach.  This isn't about the placement of a widget; this is about
someone's password in clear text.  It's worth having a broader discussion
about the implications.

If this had been on the anaconda list, most impacted parties would
not have seen it.  Speaking for myself, I'm glad it was brought up here.

The principal of least surprise is a good one.
I think this change breaks it.

What is the downside to defaulting to a hidden PW, with an opt-in mechanism to
display the password as it's typed?  The downsides of defaulting to cleartext have
been noted, and to me are quite self-explanatory.

On the other hand, if it's the right thing to do, then it needs to be done for
GUI password change dialogs and the passwd command should be updated as well,
for consistency, no?

-Eric


More information about the devel mailing list