Bug 374074

Summary: Login/Lock Screen: "Show Password" button vulnerable to social engineering
Product: [Plasma] plasmashell Reporter: Elias Probst <mail>
Component: Global Theme packagesAssignee: Plasma Development Mailing List <plasma-devel>
Status: RESOLVED DUPLICATE    
Severity: major CC: kde, kde, nate, plasma-bugs, simonandric5
Priority: NOR Flags: kde: Usability?
Version: 5.17.4   
Target Milestone: 1.0   
Platform: Gentoo Packages   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=414399
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Elias Probst 2016-12-23 10:39:21 UTC
The recently introduced feature to show the entered password on the lockscreen makes it vulnerable to social engineering and endangers the whole security of the current user.

If someone enters his (partial) password but for some reason doesn't immediately pushes <RETURN> before leaving his workplace unattended, anyone else walking by could reveal the user's (partial) password.
This is basically leaving the password in plain text on a post-it on the desk.

The password field should be cleared:

- after X seconds of inactivity
- when switching to another VT
- when suspending/resuming

Besides that, it might make sense to introduce a (Kiosk-controllable) option to disable the "Show password" functionality in the lockscreen.
Comment 1 Kai Uwe Broulik 2016-12-23 10:40:43 UTC
There is: lineedit_reveal_password
Comment 2 Kai Uwe Broulik 2016-12-23 10:41:10 UTC
But yeah, clearing the password after a certain amount of time and/or when switching VTs makes sense.
Comment 3 Elias Probst 2016-12-23 10:43:20 UTC
…and also related:

The password field shouldn't even be shown while the lockscreen is still in its "grace period" where it allows unlocking without a password as it implies a false sense of security during this period.
Comment 4 Kai Uwe Broulik 2016-12-23 10:49:45 UTC
From what I can tell the password field is disabled when it's still in grace period:

enabled: !authenticator.graceLocked
Comment 5 Elias Probst 2016-12-23 11:07:24 UTC
(In reply to Kai Uwe Broulik from comment #4)
> From what I can tell the password field is disabled when it's still in grace
> period:
> 
> enabled: !authenticator.graceLocked

It's not disabled here… the cursor blinks from the very first moment in the input field once the screen is locked.

Even if it was disabled, it would still provide a false sense of security, as seeing a password field when just briefly looking at the locked screen before leaving the workplace, the visible password field tells me "this workplace is secure, I need to enter password to access it".

I'd strongly vote for completely hiding it and possibly even indicating the "insecure grace status" in some way during the grace period.

Maybe some UX people could weigh in here?
Comment 6 Kai Uwe Broulik 2016-12-23 11:15:26 UTC
Note that the grace period is only when the lock screen kicks in automatically, if you press Ctrl+Alt+L and lock it manually, it's never in grace period and always requires a password to be unlocked.
Comment 7 Elias Probst 2016-12-23 11:19:12 UTC
(In reply to Kai Uwe Broulik from comment #6)
> Note that the grace period is only when the lock screen kicks in
> automatically, if you press Ctrl+Alt+L and lock it manually, it's never in
> grace period and always requires a password to be unlocked.

I explicitly tested this scenario before writing my previous comment :)
Comment 8 Elias Probst 2016-12-23 11:20:39 UTC
(In reply to Elias Probst from comment #7)
> (In reply to Kai Uwe Broulik from comment #6)
> > Note that the grace period is only when the lock screen kicks in
> > automatically, if you press Ctrl+Alt+L and lock it manually, it's never in
> > grace period and always requires a password to be unlocked.
> 
> I explicitly tested this scenario before writing my previous comment :)

…by which I mean: I waited for the lockscreen to show up instead of manually locking.
Comment 9 Nate Graham 2019-12-06 18:14:08 UTC
(In reply to Elias Probst from comment #0)
> The password field should be cleared:
> 
> - after X seconds of inactivity
> - when switching to another VT
> - when suspending/resuming

Done in https://cgit.kde.org/plasma-workspace.git/commit/?id=a4e18e2be1348e7d6fd7fbe0c553ef0eb7120319
Comment 10 David Edmundson 2019-12-06 19:39:06 UTC

*** This bug has been marked as a duplicate of bug 412252 ***