I am using:
KDE Plasma Version 5.10.5
KDE Frameworks Version 5.37.0
Qt Version: 5.9.1
When the screen is locked and unsuccessful attempts are made at unlocking with a password, the masking dots can be unmasked to the clear attempt text by clicking the eye button in the right corner of the password field. If the user then deletes the password attempt (and leaves their computer), an attacker is able to restore the deleted password attempt by pressing Ctrl+Z when the focus is on the password field. The restored dots can then be unmasked by pressing the eye button again.
The field history is not conserved (and can't be reversed) when the system is successfully unlocked and re-locked. However, I sometimes find myself distracted and leaving my workplace when unsuccessful in entering my password. An attacker could recover this attempt that will be almost the correct system password, and could try to trace and correct my typo.
It would make sense to deactivate entry history (being able to traverse inputs with Ctrl+Z and Ctrl+Y) for the password field on the lockscreen. I would like to have the option to deactivate the unmasking "eye button" functionality with the other screen locking options.
Practically no-one will type the right password then delete it...and the odds of an attacker stumbling across this at the right time seem incredibly flimsy.
However, effective fix uploaded.
Could you please add the phabricator link?
https://phabricator.kde.org/D9040 was the link. It didn't get in for reasons I don't really agree with, but meh.
I've also tried adding a key handler on the TextField to intercept it before Qt but that doesn't work as child events (which in QQC1 contain the real TextInput item) will get processed first. Only solution I can think of is a clone of our MouseEventFilter we have in kdeclarative.
This issue (Ctrl-Z revealing previous attempts) is still present in kscreenlocker 5.13.4-1 on Arch Linux.
Additionally, the reveal option also introduces another privacy issue: the clipboard contents can be extracted (Ctrl-V) and modified (Ctrl-C) (bug 388049).
Git commit 505ce9929b2f36d8e29330f0accfbb83d654a8cd by David Edmundson.
Committed on 15/01/2020 at 10:43.
Pushed by davidedmundson into branch 'master'.
[sddm-theme] Don't have a broken reveal password button
sddm-greeter will have a button for the reveal password button, but due
to sddm-greeter not loading a relevant QPT has no code to force it to
load the breeze icon set.
Without the breeze icon set, the clear button does not show.
There are ways to solve this, but none are trivial or reliable.
I threatened to do a revert in 5.12 (https://phabricator.kde.org/D9040)
but the bug has still not been fixed since.
Related: bug 396039
Differential Revision: https://phabricator.kde.org/D26675
M +1 -1 sddm-theme/Login.qml
*** Bug 422421 has been marked as a duplicate of this bug. ***
isn't this a dup of bug #453828 ?
Yes indeed, thanks.
*** This bug has been marked as a duplicate of bug 453828 ***