Do you think this is a security risk and if not is it a bad UI decision?
dan.mashal at gmail.com
Sat May 4 22:22:01 UTC 2013
On Sat, May 4, 2013 at 2:37 AM, Michael Scherer <misc at zarb.org> wrote:
> and I think that even Bruce Schneier have gave his opinion in favor of
> the proposal :
Which he later took back.
> I can add to that that I have seen more than once people setting a
> password which was not the one they believed due to :
> - keyboard layout ( ie, qwerty vs azerty in France )
> - small usage difference with Windows way, again on azerty keyboard
> ( people using capslock on french keyboard to type numbers while they
> should use shift, as capslock just type capital letter like À or É and
> not 0 or 2, and if you do not understand, just look on the web to
> compare how different it is from qwerty-based keyboard )
The installer should detect the keyboard automatically. In fact you
can even tell it what type of keyboard you have on the first screen.
> Or I could also speak of the small non standard keyboard such as macbook
> one where ~ or | are not printed and where using the wrong keyboard
> could result in wrong characters if you are unaware of the problem.
I think people that have Macs have learned how to use their slightly
different keybaords by now.
> But the discussion is not about that, even if I think the rational
> around the defaults.
> Showing by default will help people who are less familiar, hidden by
> default will satisfy people who think that's a security issue.
Showing by default helps no one.
> Hidden by default and showing it on demand is likely to still be a
> hindrance to people who may not know they type their password wrong
> ( because I think most assume that it will work fine, we are not to a
> point where people assume by default this will fail ).
Straw man argument.
> So what about hiding on demand, and having it visible by default ? This
> way, people who prefer to have it hidden will be happy, and we are still
> friendly to non technical users.
On Sat, May 4, 2013 at 11:10 AM, Michael Cronenworth <mike at cchtml.com> wrote:
> On 05/04/2013 02:29 AM, Stef Walter wrote:
>> There's already this exact phoneish password hint capability in GTK+
>> with the 'gtk-entry-password-hint-timeout' setting. Turn it on in
>> $XDG_CONFIG_HOME/gtk-3.0/settings.ini, or use
I guess this is somewhat of a reasonable compromise.. if I was
installing Fedora on my phone/tablet.
On Sat, May 4, 2013 at 2:48 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> Or a forum where said decisions can be overridden with a little more
> sanity, such as FESCo.
Has it come to that? Do we really need a committee to decide "sanity"
and how ridiculous this is?
On Sat, May 4, 2013 at 9:35 AM, Adam Williamson <awilliam at redhat.com> wrote:
> Well, that escalated quickly.
As it should have.
So where do we go from here? I think the vast majority of people here
have agreed that this was wrong. I guess does this now go to FESCo and
let a few people vote on it?
Why can't there be a wider community approval be able to vote on
things like this? As I stated earlier there are a list of things that
have changed without any real widespread community approval.
I kind of feel helpless, and powerless.
Great. I brought the attention to a wider audience and the general
public and something may or may not get done about it, but what about
the next UI change I think is ridiculous or the ones I think that
I don't feel like if I filed a bug anything would get done about it
besides a "too bad" response.
I'm really lost.
More information about the devel