SUMMARY *** When pressing "escape" to reset the lock screen, it clears any entered password text. However, the visibility state does not get reset. This can lead to users getting tricked into revealing their password. *** STEPS TO REPRODUCE 1. Lock your screen 2. Put text in the password box 3. Click on the password visibility toggle 4. Press "escape" (or wait until screen times out?) 5. Come back to type text in the password box OBSERVED RESULT The visibility state does not get reset at the same time as the password box text gets reset. EXPECTED RESULT The visibility state gets reset to not show typed characters. SOFTWARE/OS VERSIONS Linux/KDE Plasma: Fedora KDE (available in About System) KDE Plasma Version: 5.23.4 KDE Frameworks Version: 5.89.0 Qt Version: 5.15.2 ADDITIONAL INFORMATION I wouldn't call this a "bug". More along the lines of a possible improvement to be made to improve security. If a workstation is left unattended, and somebody toggles the text visibility, it's easy to type in your password without noticing it will be showed to any prying eyes. (colleagues, etc...) Thanks in advance,
Probably easiest to just remove this button since the Login Screen UI already did. It would fix this automatically.
(In reply to Nate Graham from comment #1) > Probably easiest to just remove this button since the Login Screen UI > already did. It would fix this automatically. Thanks
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/2814
Git commit fd7d32aefe9b421dc57fe34b681d437d7c73ad34 by Nate Graham. Committed on 26/04/2023 at 19:18. Pushed by ngraham into branch 'master'. Reset "show password" status on lock and login screens when fading in Otherwise, if the user earlier turned on the "show password" feature and then forgot about it and let the UI fade out, when it fades back in and they start typing their password again, it will be entered in the clear. FIXED-IN; 5.27.5 M +1 -0 lookandfeel/org.kde.breeze/contents/lockscreen/LockScreenUi.qml M +1 -0 lookandfeel/sddm-theme/Main.qml https://invent.kde.org/plasma/plasma-workspace/commit/fd7d32aefe9b421dc57fe34b681d437d7c73ad34
Git commit 00576ef1499a319791b217fedd234f2ed6e92ed8 by Nate Graham. Committed on 26/04/2023 at 19:20. Pushed by ngraham into branch 'Plasma/5.27'. Reset "show password" status on lock and login screens when fading in Otherwise, if the user earlier turned on the "show password" feature and then forgot about it and let the UI fade out, when it fades back in and they start typing their password again, it will be entered in the clear. FIXED-IN; 5.27.5 (cherry picked from commit fd7d32aefe9b421dc57fe34b681d437d7c73ad34) M +1 -0 lookandfeel/org.kde.breeze/contents/lockscreen/LockScreenUi.qml M +1 -0 lookandfeel/sddm-theme/Main.qml https://invent.kde.org/plasma/plasma-workspace/commit/00576ef1499a319791b217fedd234f2ed6e92ed8
Git commit bfb048a5412d4a58839de361889717a4d97d4180 by Marco Martin, on behalf of Nate Graham. Committed on 05/04/2024 at 11:25. Pushed by mart into branch 'master'. Reset "show password" status on lock and login screens when fading in Otherwise, if the user earlier turned on the "show password" feature and then forgot about it and let the UI fade out, when it fades back in and they start typing their password again, it will be entered in the clear. FIXED-IN; 5.27.5 M +1 -0 Main.qml https://invent.kde.org/plasma/plasma-desktop/-/commit/bfb048a5412d4a58839de361889717a4d97d4180