Do you think this is a security risk and if not is it a bad UI decision?

T.C. Hollingsworth tchollingsworth at gmail.com
Sun May 5 21:44:49 UTC 2013 

On Sat, May 4, 2013 at 10:27 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Sat, May 4, 2013 at 11:06 AM, T.C. Hollingsworth
> <tchollingsworth at gmail.com> wrote:
>> More to the point, the vast majority of the other software *in Fedora*
>> that accepts passwords for any reason hides the passwords as they are
>> typed.  If this is really broken (and who knows; neither side has
>> really produced much in the way of science), it needs to be fixed in
>> GTK (and Qt, and `passwd`, and a bunch of other places), not papered
>> over in anaconda.
>
> Without intending to express any support for the change, I do think
> it's important to
> point out that anaconda is not the same as most of these other cases
> because there
> is substantial potential for keyboard mapping error. Most of the other
> contexts you've
> named are on an already running system where its harder to notice that your
> keyboard mapping is screwy.
>
> (OTOH, the stakes for a keyboard-remap-password-loss incident couldn't be
> lower than during install— at worst you're confused as a result and have to
> reinstall, but you don't lose data)

Well at the time I wrote that, the only issue that had been raised was
that password masking might not be as secure if everyone thought it
was.  If that's what's broken, my point still stands—anaconda is not
the right place to fix it.

But if our keyboard mapping selection is also broken, the root
password entry is also not the right place to fix it.  By the time
you're entering the root password in the new UI, you've already
started installation and it's too late to go back and change your
keyboard mapping.  Only letting our users know something is broken
*after* it's too late to fix it is just cruel.  (That being said,
there are some suggestions in this thread to fix that problem too, by
providing a keyboard indicator or such.)

IMHO the root password selection screen should be hidden away as a
button on the user creation screen.  That way the username and real
name fields on that screen would be the obvious "my keyboard layout is
wrong" indicators (sidestepping the whole password masking issue) and
we deemphasize selecting a root password, which most normal users
shouldn't need to deal with.  (Right now, user creation and root
password selection kind of look equally important sitting next to each
other on the "configure stuff while installing" hub.)

-T.C.

More information about the devel mailing list