Summary: | Login/Lock Screen: "Show Password" button vulnerable to social engineering | ||
---|---|---|---|
Product: | [Plasma] plasmashell | Reporter: | Elias Probst <mail> |
Component: | Global Theme packages | Assignee: | Plasma Development Mailing List <plasma-devel> |
Status: | RESOLVED DUPLICATE | ||
Severity: | major | CC: | kde, kde, nate, plasma-bugs, simonandric5 |
Priority: | NOR | Flags: | kde:
Usability?
|
Version: | 5.17.4 | ||
Target Milestone: | 1.0 | ||
Platform: | Gentoo Packages | ||
OS: | Linux | ||
See Also: | https://bugs.kde.org/show_bug.cgi?id=414399 | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
Elias Probst
2016-12-23 10:39:21 UTC
There is: lineedit_reveal_password But yeah, clearing the password after a certain amount of time and/or when switching VTs makes sense. …and also related: The password field shouldn't even be shown while the lockscreen is still in its "grace period" where it allows unlocking without a password as it implies a false sense of security during this period. From what I can tell the password field is disabled when it's still in grace period: enabled: !authenticator.graceLocked (In reply to Kai Uwe Broulik from comment #4) > From what I can tell the password field is disabled when it's still in grace > period: > > enabled: !authenticator.graceLocked It's not disabled here… the cursor blinks from the very first moment in the input field once the screen is locked. Even if it was disabled, it would still provide a false sense of security, as seeing a password field when just briefly looking at the locked screen before leaving the workplace, the visible password field tells me "this workplace is secure, I need to enter password to access it". I'd strongly vote for completely hiding it and possibly even indicating the "insecure grace status" in some way during the grace period. Maybe some UX people could weigh in here? Note that the grace period is only when the lock screen kicks in automatically, if you press Ctrl+Alt+L and lock it manually, it's never in grace period and always requires a password to be unlocked. (In reply to Kai Uwe Broulik from comment #6) > Note that the grace period is only when the lock screen kicks in > automatically, if you press Ctrl+Alt+L and lock it manually, it's never in > grace period and always requires a password to be unlocked. I explicitly tested this scenario before writing my previous comment :) (In reply to Elias Probst from comment #7) > (In reply to Kai Uwe Broulik from comment #6) > > Note that the grace period is only when the lock screen kicks in > > automatically, if you press Ctrl+Alt+L and lock it manually, it's never in > > grace period and always requires a password to be unlocked. > > I explicitly tested this scenario before writing my previous comment :) …by which I mean: I waited for the lockscreen to show up instead of manually locking. (In reply to Elias Probst from comment #0) > The password field should be cleared: > > - after X seconds of inactivity > - when switching to another VT > - when suspending/resuming Done in https://cgit.kde.org/plasma-workspace.git/commit/?id=a4e18e2be1348e7d6fd7fbe0c553ef0eb7120319 *** This bug has been marked as a duplicate of bug 412252 *** |