Dear mantainer (hope this is the good kde component) It seeems to me that the unlock-session window keeps a typed but forgotten password forever, if I'm right this is a security breach cheers Reproducible: Always Steps to Reproduce: 1. lock the session 2. come back and write the password in the form, but do not click enter because something distracted you; exit the room to take a coffee 3.somebody else arrives and clicking return enters your account because the password of the previous user is still there.... Expected Results: Clean the password form after, say, 1 minute.
This bug is easy enough to reproduce. Could someone please confirm it? I think the password entry widget should disappear after min(max(password required, 60 sec), screen locker start after) of inactivity. And whenever an energy saving timer is called (dpms, hibernate, and so). Thanks,
Hi In absence of any reaction, I've double checked my statement (same kde version as declared, no time for updates): I confirm the bug I've reported. 1) From a kde session clicked on lock-screen button. 2) Typed the password, but did not enter it with return 3) Waited 10 minutes (my screen saver runs and covers the unlock window) 4) ...come back... move the mouse to get back the unlock window, just click on return and got back my session .. PLEASE, consider fixing this.... r
@Massimiliano: the problem is not the fact that the password entry widget does not disappers: it disappears and the screensaver runs, without problems. The problem is that when the widget reappears it keeps the typed password instead of resetting the form and showing a clean white line. ric
This is a slight security issue, but it's also an annoyance. Consider the case (frequent with me) where the screen gets locked and then something gets laid on the keyboard for a few hours. For all the poor idiots who don't know Ctrl-A to select it all and Del, they could sit there using backspace and never make it back to the beginning before giving up. I suggest this bug be fixed, and in addition do at least one of these: 1) Put in some kind of "start over" button, or 2) Make a maximum input length for the password - say 2000 characters, maybe less?
With the new lock screen we have in Plasma 5 the situation improved. As there are no screen savers any more and the unlock screen is always shown the password field is not hidden after a timeout. This eliminates the problem described in comment #2. Of course it's still possible that one types in the password and the moves away. I'm unsure whether this is really something the lock screen should care about. But it's considerably easy to add a clear field after e.g. 30 msec. The situation described in comment #4 is clearly outside the scope of the lock screen. We shouldn't restrict the length of the input field.
On Tuesday 10 February 2015 12:48:58 Martin Gräßlin wrote: > But it's considerably easy to add a clear field after e.g. 30 msec. 30milliseconds ?? You mean clearing the field after 30 *seconds* of inactivity? From my point of view that would be great. Ric
Git commit 5df5d9698a87923705b2ad67dfbd362b8fa91351 by Martin Gräßlin. Committed on 10/02/2015 at 13:16. Pushed by graesslin into branch 'master'. [screenlocker] Clear password field after an idle timeout Clear the password field if no input happened for 30 sec. This is intended for cases that the user starts entering the password and then moves away from the system leaving it in a state where anyone could unlock the session by just pressing enter. FIXED-IN: 5.3.0 REVIEW: 122511 M +15 -0 lookandfeel/contents/lockscreen/LockScreen.qml http://commits.kde.org/plasma-workspace/5df5d9698a87923705b2ad67dfbd362b8fa91351