Do you think this is a security risk and if not is it a bad UI decision?

[Przemek Klosowski]

On 05/03/2013 10:59 PM, Matthew Garrett wrote:
> On Fri, May 03, 2013 at 10:36:51PM -0400, Rahul Sundaram wrote:
>> I was referring to the decision to
>> show the password in full when the user is typing it.
>
> Many UI decisions are unprecedented. That doesn't justify reopening bugs
> that the maintainer has closed. If you want to have a discussion about
> whether or not this is a reasonable UI decision, do so somewhere other
> than Bugzilla.
>

In all seriousness, this is a substantial UI decision that requires a 
commensurate change in user behavior---it shouldn't be dismissed so 
easily as marking it NOTABUG.

Another example of such important change that recently appeared without 
recourse and much discussion is the lock screen: previously, the 
password unlock widget had focus so one could start typing the password, 
while the new behavior is that the focus is in the clock, and one needs 
to hit Esc or Enter. I understand the security tradeoffs: the former 
behavior is conditioning people to carelessly type passwords in the 
blind, so they are more vulnerable to fake authentication dialogs, while 
the new one almost uses the SAK (secure attention key) paradigm. Still, 
the user behavior change is significant and I keep making mistakes even 
though I understand and agree with the new scheme.

By the way, does Gnome have a SAK? I don't think Esc is a true SAK, but 
maybe I am wrong about it?