In one sentence: When entering a wrong password, it will stay on screen indefinitely after the failed login attempt. Same happens if not pressing enter after typing the correct password. This problem is nearly completely similar to a problem for SDDM described here: https://github.com/sddm/sddm/issues/1199 = Scenario = -- password isn't deleted -- The user leaves it's PC after a failed login attempt. (e.g. because he just realized it's lunchtime and another login attempt would be useless, or because the fire alarm strikes) A local attacker now has the chance, to look at the screen. He will not just see the length of the password (number of asterisks). But he will also see the typed text by clicking the eye-icon beside the password field. Assuming the user just did a minor typo (e.g. missed to press shift for the correct letter), I consider this a security problem. Example: User typed: MyDogiscalledjohn Real password which can be easily guessed: MyDogiscalledJohn -- undo/repo issue -- Even if the user knows about this problem and deletes the password (backspace or del key), the attacker can simply press ctrl-z to restore the password. The only chance for the user to securely wipe the password from the screen, is to either correctly login and lock the screen again, or to press ctrl-z to drop the undo-stack and enter a dummy text to also drop the redo-stack. -- comparison with unlocked screen -- You could try to compare this scenario with an unlocked screen. This is also a problematic situation, but there are two aspects which make this less critical: - An attacker can't see the users password. - The screen will lock after the configured time. And the login/lock screen doesn't even delete the password after some time (compared to the screenlock timeout). I guess for the login screen there's not even an applyable timeout setting, because the lock setting is per user and not system wide. = Mitigations = Deleting the password immediately probably isn't very handy for the user. Having the possibility to see a misstyped password to correct it, by clicking the eye-icon after a failed attempt, is probably very useful. But I suggest the following mitigations: - Disabling undo/redo in password fields. - Deleting passwords from password fields after $time. (independently if the user pressed enter or just left the PC after typing something) $time may be: - A hard coded value. E.g. 60 seconds. - For the lockscreen it might also be the configured time to lock after inactivity. But I don't like this choice, because users may set a too long time for this (e.g. 5 minutes), so their screen doesn't lock too fast. - An new setting, which could be system wide (for the login screen) and per user (for the lockscreen). -- further thoughts -- Those mitigations might be a good default for all password widgets in KDE/QT. Password fields in all scenarios should probably not offer the possibility to read their contents for an infinite time.
Deleting the text after a certain period of time doesn't seem unreasonable, but it isn't exactly a complete fix. Not having a button show the password would fix this, but I imagine some people like that button.
*** Bug 374074 has been marked as a duplicate of this bug. ***
(In reply to Nate Graham from comment #1) > Deleting the text after a certain period of time doesn't seem unreasonable, > but it isn't exactly a complete fix. > > Not having a button show the password would fix this, but I imagine some > people like that button. Exactly what I think. And disabling the undo feature should be without significant disadvantages.
Maybe it would be a good idea to expose this to the user: - A setting wether the enable the "show password" button - A setting wether to clear failed passwords immediately after pressing enter - A setting of the timeout-time after which inputted passwords (without enter) are cleared. You could add also a warning which security implications result of their settings.
Working on this.
Git commit b3030730d816631e6fd5a45f1c597ab07c073b52 by Nate Graham. Committed on 08/06/2020 at 16:52. Pushed by ngraham into branch 'master'. [Lock screen] Make clearPassword() do what it says and then use it Right now the clearPassword() signal does not actually clear the password; it only selects all text. This is a violation of its name as well as being pointless since there's no longer a way to see the unmasked text, which means you always need to re-enter the whole password anyway. FIXED-IN: 5.20 M +2 -2 lookandfeel/contents/lockscreen/LockScreenUi.qml M +1 -1 lookandfeel/contents/lockscreen/MainBlock.qml https://invent.kde.org/plasma/plasma-workspace/commit/b3030730d816631e6fd5a45f1c597ab07c073b52
Not actually fully fixed yet. But it will be fixed by https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/46
https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/63
This has been done for 5.20.