SUMMARY Security issue on login screen, where a 3rd party can see previous attempts of user provided password STEPS TO REPRODUCE 1. Enter password (intentionally make a typo), submit, making it invalid 2. Delete a few characters using backspace, submit, making it invalid 3. Now, delete the whole password, submit, making it invalid OBSERVED RESULT Let's say you've connected to your workstation remotely over Teamviewer, and in the midst of invalid tries, your internet connection breaks and you (albeit temporarily) lose access to your workstation. Someone who has physical access to your machine, comes, tickes the 'eye' icon on the login input, and by hitting CTRL+Z multiple times sees all your login attempts, easily figuring typos and gaining access to the system (also now knowing your root password). Even if you didn't connect remotely, after a few invalid logins you walk away from the workstation, the same could happen. Only way to remove "password history" is to successfully login and then log back out. EXPECTED RESULT After invalid login attempt, the password should be blank, or 'password reveal' functionality should be disabled. SOFTWARE/OS VERSIONS Linux/KDE Plasma: KDE Plasma Version: 5.18.5 KDE Frameworks Version: 5.70.0 Qt Version: 5.14.2
*** This bug has been marked as a duplicate of bug 387418 ***
*** This bug has been marked as a duplicate of bug 453828 ***