Do you think this is a security risk and if not is it a bad UI decision?
przemek.klosowski at nist.gov
Mon May 6 13:21:17 UTC 2013
On 05/03/2013 10:59 PM, Matthew Garrett wrote:
> On Fri, May 03, 2013 at 10:36:51PM -0400, Rahul Sundaram wrote:
>> I was referring to the decision to
>> show the password in full when the user is typing it.
> Many UI decisions are unprecedented. That doesn't justify reopening bugs
> that the maintainer has closed. If you want to have a discussion about
> whether or not this is a reasonable UI decision, do so somewhere other
> than Bugzilla.
In all seriousness, this is a substantial UI decision that requires a
commensurate change in user behavior---it shouldn't be dismissed so
easily as marking it NOTABUG.
Another example of such important change that recently appeared without
recourse and much discussion is the lock screen: previously, the
password unlock widget had focus so one could start typing the password,
while the new behavior is that the focus is in the clock, and one needs
to hit Esc or Enter. I understand the security tradeoffs: the former
behavior is conditioning people to carelessly type passwords in the
blind, so they are more vulnerable to fake authentication dialogs, while
the new one almost uses the SAK (secure attention key) paradigm. Still,
the user behavior change is significant and I keep making mistakes even
though I understand and agree with the new scheme.
By the way, does Gnome have a SAK? I don't think Esc is a true SAK, but
maybe I am wrong about it?
More information about the devel