Bug 422421 - previous password attempts easily seen by 3rd party
Summary: previous password attempts easily seen by 3rd party
Status: RESOLVED DUPLICATE of bug 453828
Alias: None
Product: kscreenlocker
Classification: Plasma
Component: general (show other bugs)
Version: unspecified
Platform: Neon Linux
: NOR critical
Target Milestone: ---
Assignee: Plasma Bugs List
Depends on:
Reported: 2020-06-03 13:43 UTC by Matija
Modified: 2022-06-12 14:09 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Note You need to log in before you can comment on or make changes to this bug.
Description Matija 2020-06-03 13:43:22 UTC
Security issue on login screen, where a 3rd party can see previous attempts of user provided password

1. Enter password (intentionally make a typo), submit, making it invalid
2. Delete a few characters using backspace, submit, making it invalid
3. Now, delete the whole password, submit, making it invalid

Let's say you've connected to your workstation remotely over Teamviewer, 
and in the midst of invalid tries, your internet connection breaks and you 
(albeit temporarily) lose access to your workstation.

Someone who has physical access to your machine, comes, tickes the 'eye' icon on the login input,
and by hitting CTRL+Z multiple times sees all your login attempts, easily figuring typos and gaining access to 
the system (also now knowing your root password).

Even if you didn't connect remotely, after a few invalid logins you walk away from the workstation,
the same could happen.

Only way to remove "password history" is to successfully login and then log back out.

After invalid login attempt, the password should be blank, or 'password reveal' functionality should be disabled.

Linux/KDE Plasma: 
KDE Plasma Version: 5.18.5
KDE Frameworks Version: 5.70.0
Qt Version: 5.14.2
Comment 1 Nate Graham 2020-06-03 14:16:24 UTC

*** This bug has been marked as a duplicate of bug 387418 ***
Comment 2 Nate Graham 2022-06-12 14:09:46 UTC

*** This bug has been marked as a duplicate of bug 453828 ***