-2

In Ubuntu (maybe other distros too) terminals it appears that password echoing gets enabled between failed password prompts revealing whatever is being typed (the password most probable). demo GIF

I encountered this issue where my password became visible in plaintext on the terminal when hitting enter by accident before starting typing the password.

Steps to Reproduce:

  1. Execute a command that requires a password e.g. sudo ls.
  2. When prompted for the password, hit Enter before typing anything, then immediately start typing the password.
  3. While the system validates the empty password, the keyboard input becomes visible revealing your password.
  4. By the time you hit enter again the system already rejected the empty password and successfully validates the new one leading to a correct execution.

Expected Behavior:

When prompted for password the system should disable input echoing until the password is correctly validated, all the attempts have failed, or the operation has been canceled.

Improve this question
18
  • 3
    What you're seeing is expected behavior. Echo is turned off only while reading the password. When you pressed Enter, you ended password entry, at which time echo was re-enabled. Commented Apr 14 at 14:53
  • 5
    I’m voting to close this question because this appears to be a bug report, not a question. Commented Apr 14 at 15:08
  • 2
    For Ubuntu, bug reports go to launchpad.net. Commented Apr 14 at 15:13
  • 1
    Just a side note: "While the system validates the empty password" - those few seconds are obviously not needed to check whether the password is correct (and if so, it would also be needed for correct passwords). Checking if your password is correct is almost instantaneous. That delay there is intentional to prevent too many attempts in quick succession, and to force you to take a bit of a break, cool down, don't rush to type your password again immediately. Commented Apr 14 at 17:58
  • 3
    You are typing your password at a time when the program is not asking for it. It's echoed back. I don't consider it a bug, I consider it an irresponsible user behavior. YMMV. Commented Apr 14 at 18:00

1 Answer 1

Reset to default
6

When prompted for the password, hit Enter before typing anything, then immediately start typing the password

This is the cause of the issue. You entered nothing (i.e. a blank password) for the prompt. The system had disabled echo to receive your input, but as soon as it had accepted your input it then re-enabled echo. During the delay while it went off to check your password was wrong you typed your password in again. Echoing had been re-enabled so the text typeahead was echoed to the screen.

It's certainly not a feature but I'd hesitate to call it a bug. You could try reporting it upstream though, and for a security issue I'd tend to side with you in that it's unexpected behaviour.

For now the simple answer is not to preempt password prompts

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.