Hacker News

This decision long predates Linux. It's been a staple back to the earliest days of Unix; and it isn't a weird decision if you take into consideration of multi user systems in office environments that have non trivial security considerations (for example telecoms companies), which is exactly where Unix came from.

Get out of my head, lol :)

But yeh, never thought this was a problem anyone else delt with. My passwords are all a variant of my on "master password" and sometimes forget which session I'm in so trying to save keystrokes, count backward to where I think the cursor should be.

Just type Control-U once.

The number of times I've posted my sudo password in a random slack channel instead of my terminal is not very high, but too damn high nonetheless

Unless you disable cursor blinking because you find it annoying (like I do).

Why is it better to have a nopassword admin account when using a machine remotely? The point of SSH is to resist mitm attacks, right? If someone could watch my keystrokes, I think I'd have bigger problems!

Yeah but am I going to really open another ssh connection just to run an admin specific command. They also didn't provide an admin user, it setup with all of the extra security configurations. You couldn't even `su`

With sudo you can also give people specific access to commands.

I personally use the pam ssh agent module for this, that way you can use agent forwarding with sudo.

I am aware of that but you forgot the other conditions. Keys sometimes don't register, I'm not sure why but I do experience missing keystrokes.

The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.

This is really a non-issue, all password fields behave this way, so it's not like this is a new computer behavior. This change only aligns sudo to literally everything else.

If it breaks the workflow of one person but makes it better for many more, it's likely a worthwhile tradeoff.

How much would unknown password length protect against bruteforcing a 1 character password?

> It is still a good decision, an one character password is useless from a security standpoint.

Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.

I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.

On the other hand streaming is way, way more common nowadays.

And just sticking to counting, a not exceptionally well-trained ear could already count how many letters you typed and if you pressed backspace (at least with the double-width backspace, sound is definitely different)

"Let's look at their screen and see how long their password is." This article is about silent sudo.

Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.

But sure, if you're watching someone who types with one finger. Yes, I can see that.

If your password is long enough it doesn’t matter if they know it is say 16 characters and if it isn’t long enough it also doesn’t matter because they can just brute force all the potential lengths up to it. So yes it is just security theater.

No, not really. If you have people watching you so closely, there’s a good chance they can watch your fingers on the keyboard, too. Maybe you’re sharing your screen for a presentation, this might be slightly ill advised, but then, you should run such things in a VM or container and use silly demo passwords.

Think of it this way: there’s a button to show your actual password in the majority of applications nowadays.

`sudo` and `login` are I think the only two tools I use that don’t provide any feedback.

Otherwise my entire life is behind a password database that lets me see my password in plaintext and otherwise shows the length of it as it’s typed. KeepassXC.

If knowing how the length of your password makes it easy to crack you probably have other problems

Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.

Back around 1996, Notes would show hieroglyphics that changed with each new password character.

Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.

Notes did indeed do that, and I as I recall it was three astrix characters per password character.

Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.

Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.

^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc

Purpose:

> That way you can be certain whether or not you entered a character

I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)

There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.

They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.

Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.

Good things always happen when you cater to the lowest common denominator.

Ah, but then you choose the wrong language or language runtime and distros ship old versions for 10+ years :)

(compare: polkit. Both sides have their point, but I've been annoyed by this standoff a few times).

Not for local password authentication.

https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...

I have a really long passphrase in keepassxc. I often try to type it, fail 50% of the time, display the password, fix the typo. I would not use a long passphrase otherwise. (I understand there are other risks, such as having spyware that is recording my screen, but my main worry is for the safety of the file itself)

I know sudo-rs will likely not allow viewing the password in the short term, but the benefit to being able to have some visual feedback, is that it lets me use a more complex password.

Other example: if I'm on a ssh link with very high latency (ex: on a phone), I might type one character at the time, make sure they register correctly, and continue. If I can't do that, then I'll type the password in a text editor, then copy-paste it into the password prompt.

That's been my solution too and it's never been an issue for me tbh.

Hitting Home, End and Ins would "add" another 3 characters yet would not change the password. A full 100+ keyboard needed.

It is. Only the default changed. Also you can press tab if someone happens to be looking over your shoulder (and your password is so obvious they can guess it from the length).

Feels like you're talking to your own strawman re. whether hiding password length makes sense, which I specifically didn't address, only pointed out that the arguments I've quoted do not support the change.

The reason is to protect the innocent, of course, they're mostly clueless about security! But I don't know the level of practical benefits for this measure, superficially seems to be rather low, but then (assuming silly usability issues like "appears frozen" are fixed) what's the downside?

Millions of desktop users would use empty password if they could.

In reality not much compared to the UX win of being able to see it.

You can choose the middle ground and start X in whatever file is executed by your shell at login, after checking that X is not already running and that the login has not been done remotely through SSH. Instead of using "startx" (which on a properly configured system would also start whatever desktop environment you use), you can use the start program of your desktop environment, for instance I use XFCE, whose starting program is "startxfce4".

This eliminates the need to do the start manually when you login, but like after a manual start you can stop the GUI session, falling back into a console window, and then you can restart the GUI if needed.

I prefer this variant and I find it simpler than having any of the programs used for a GUI login, which have no advantage over the traditional login.

Sadly everyone wants convenience. Nobody hates MS because they are bad, they hate them because they are inconvenient. People are missing the fact that Google is exactly where MS was in the 90s and is most definitely as bad if not worse. I hate android sadly linux isn't looking too good rigt now on mobile.

Devs are are missing the point with linux on phone. Get the point part working first lol so that people have some incentive to carry the damned thing. Apps come later

> and have caused 0 issues in practice

Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.

Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.

So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.

Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.

But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.

This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.

Must’ve been hard not to name it rusdo because Rust has to come first (before any logic).

No, they simply don't understand the history of the very thing they report on. If you look at the quoted text, they easily could have said 'Unix" terminal.

They also repeatedly talk about a 'half century' of Linux terminals in other parts of the article. This site seems to cater to Linux specifically in many respects, so it's quite reasonable to call them out on super-simple stuff.

Yet somehow, none of the other high security tools I have ever interacted with seem to do this for some reason. No auditor flags it. No security standard recommends hiding it.

But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?

> Because to hell with UX when it comes to security.

I don’t think you have any idea how wrong you are.

Bad security UX that results in users bypassing security mechanisms entirely is probably the single biggest source of real-world security problems.

> One implies the other. You turn echo off. Then you write asterisks.

That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.

I would be worried more about leaking the timing of the key presses.

Leaking the length of your password is about as bad for security as leaking the fact that you have a password, or that you use sudo.

Courage to be different is an open door to creativity.

Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.

Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).

So perhaps they also did a few things right?

(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)

> You'd think by now they'd have learned, but apparently not.

No. Suffering is the crucial part of virtue signaling, so bugs in slop rewrites are a feature, not a bug.

  echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$USER"; sudo chmod 0600 "/etc/sudoers.d/$USER"

  sudo mkdir -p /etc/polkit-1/rules.d

  echo 'polkit.addRule(function(action, subject) { if (subject.isInGroup("sudo") || subject.isInGroup("wheel")) { return polkit.Result.YES; }});' | sudo tee /etc/polkit-1/rules.d/00-nopasswd.rules

I think they mean "leading edge".