Do you think this is a security risk and if not is it a bad UI decision?
Matthias Clasen
mclasen at redhat.com
Mon May 6 18:01:34 UTC 2013
On Mon, 2013-05-06 at 09:21 -0400, Przemek Klosowski wrote:
> On 05/03/2013 10:59 PM, Matthew Garrett wrote:
> > On Fri, May 03, 2013 at 10:36:51PM -0400, Rahul Sundaram wrote:
> >> I was referring to the decision to
> >> show the password in full when the user is typing it.
> >
> > Many UI decisions are unprecedented. That doesn't justify reopening bugs
> > that the maintainer has closed. If you want to have a discussion about
> > whether or not this is a reasonable UI decision, do so somewhere other
> > than Bugzilla.
> >
>
> In all seriousness, this is a substantial UI decision that requires a
> commensurate change in user behavior---it shouldn't be dismissed so
> easily as marking it NOTABUG.
>
> Another example of such important change that recently appeared without
> recourse and much discussion is the lock screen: previously, the
> password unlock widget had focus so one could start typing the password,
> while the new behavior is that the focus is in the clock, and one needs
> to hit Esc or Enter. I understand the security tradeoffs: the former
> behavior is conditioning people to carelessly type passwords in the
> blind, so they are more vulnerable to fake authentication dialogs, while
> the new one almost uses the SAK (secure attention key) paradigm. Still,
> the user behavior change is significant and I keep making mistakes even
> though I understand and agree with the new scheme.
This was a temporary situation in GNOME 3.6, when the new lock screen
was introduced. In GNOME 3.8 (F19), you can just type your password
again.
> By the way, does Gnome have a SAK? I don't think Esc is a true SAK, but
> maybe I am wrong about it?
You can't implement a true SAK without support from X and the kernel.
More information about the devel
mailing list