Do you think this is a security risk and if not is it a bad UI decision?

Eric H. Christensen sparks at fedoraproject.org
Mon May 6 13:37:06 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, May 06, 2013 at 08:27:14AM -0500, Josh Bressers wrote:
> A checkbox is probably the right way to handle this. While yes it's
> slightly more work, it does two very important things. It puts the
> user in control, and it is secure by default.

Secure by default is definitely where we need to be at all times.  Now if we could just get SSH to be secure by default...

> Regardless of all the studies that say masking passwords doesn't help,
> we can't make this change quickly. We need to slowly ease people into
> such behavior. For now, the best solution is probably a checkbox, in a
> few releases we can revisit what the current accepted practice is. The
> current accepted practice is to mask the password, sometimes with a
> checkbox to unmask (but never unmask by default).

I remember another discussion similar to this (not on this list) where passwords are shown one character at a time on Android.  That added a risk but because the screens are generally smaller and partially covered by someone's hand it wasn't that big of a deal.  That was a good compromise that made it easier for people to make sure their passwords (passphrases, right?) were being entered correctly.

I feel that not masking passwords isn't good.  We can say that when we install Fedora in our homes that no one is around to see our passwords being entered.  But we simply don't know where, physically, the user is when he is typing that password or what kind of surveilence is around at the time.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project - Red Hat

sparks at redhat.com - sparks at fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQGcBAEBCgAGBQJRh7HfAAoJEB/kgVGp2CYv41wL/jCSQ0itqwAxXhyTMb/RDQAJ
lXFCGuDeu8+W9umSWtYqgXziGgGS6cVtX1g1RIGex2cCQ1nkRJ1SGqw+NQxx8PdW
e+FZU276woHuOwUMVqdz7lr9k7eLHD+tnRpUIWiR/wLbjEUTtqqzkKbSq8p5YWZ9
ULY7uA8y5N02nNpenU5B+UK6y4cVBNmz57PKnhp8LrgbrGAhkwphPLlHjkXY1hi6
VmUy7Zc9B6ytVIPyoYJN5XiMqlvgGDDoUFBLk6RxmsskuuP/nn0dQefpes3zQ3k3
3zr2GduuxjWSQTsYVA9kDoXVMvTBgKFzDKMrskiL4UFKH/kr4h2e2u/rmVEqUWne
kxCe/zZqljT1QMHMWkS74vo/JkQZ6MkmmYE+GOarv9ozD3iNRZ8Omb3kzTN7ev7J
sjt9Ax+ujWX3l3NiH2+tSsZTlnsMaIeoF9tse9qhfYXLtRZUc5lm9/A4GgXyO0Vc
gB9JjKxRqqnQNdQaHlDwZko6xo2QhqFibRVnOKstaw==
=PAsn
-----END PGP SIGNATURE-----


More information about the devel mailing list