Do you think this is a security risk and if not is it a bad UI decision?

Josh Bressers josh at bress.net
Mon May 6 13:27:14 UTC 2013


>
> "Will and Mairin had some good links talking about the merits of doing
> this and how hiding passwords doesn't even do all that much to help (a
> determined person can always just watch your keyboard)."

This argument isn't very solid. I mean someone can just break your
window to get in your house, so locking the door is waste of time,
right? The bigger issue here is we should always have the mantra
"secure by default". This is not secure by default.

>
> "Why not use a checkbox?  Well, why use a widget if we don't have to?
> Using a checkbox means now we have to work in another widget to the
> design, introducing potential padding and layout problems.  It's another
> string that needs to be translated.  It's another thing that needs a
> mnemonic widget.  By doing the focus trick, we completely get rid of the
> keyboard layout problem because you can see what you're typing as you're
> typing it.  It may also even allow us to get rid of the confirmation
> entries for the same reason."

A checkbox is probably the right way to handle this. While yes it's
slightly more work, it does two very important things. It puts the
user in control, and it is secure by default.

Security is hard, and many security decisions can often have
unintended impacts. I suspect in this instance, a new Fedora user (and
even some old ones) will see this behavior and think one of two
things. 1) It's a bug. 2) These people know NOTHING about security!
Neither is an ideal outcome.

Regardless of all the studies that say masking passwords doesn't help,
we can't make this change quickly. We need to slowly ease people into
such behavior. For now, the best solution is probably a checkbox, in a
few releases we can revisit what the current accepted practice is. The
current accepted practice is to mask the password, sometimes with a
checkbox to unmask (but never unmask by default).

I think a discussion about the merits of password masking could be
had, but I'd rather not start down that path. Perhaps the better
question is what problem are we trying to solve. Has anyone ever
complained about Anaconda masking passwords?

Thanks.

-- 
    JB


More information about the devel mailing list