The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.

These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.

I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.

Around 2004 someone gave me Linux CDs (I think it was mandrake?) that I tried to install. And I got stuck at the password input part of the setup, I thought it didn’t work and went back to windows. I didn’t start using Linux until 13 years later… I think I’d have switched much earlier if not for that weird UI decision.

This decision long predates Linux. It's been a staple back to the earliest days of Unix; and it isn't a weird decision if you take into consideration of multi user systems in office environments that have non trivial security considerations (for example telecoms companies), which is exactly where Unix came from.

Well, if leaking the length of the password is such a big deal, why not just use a reasonably long password?

Moreover, if someone can see the number of asterisks on the screen, what prevents them from seeing the actual keys that are being pressed?

Again looking back at the history of Unix, it used a 56 bit variant of DES encryption that used the user's password as the key. So only the first 8 characters of the password were used and the rest was silently unused, for example "password" and "password123" would have been the same password on early Unix. And although most BSDs and Linuxes moved in the mid 90s to PAM (and hence md5, etc) most SVR4s didn't move until late in the 90s. And at the other end, DES crypt() made its way into Unix in some v6s (~1977) and became widely available in the release of v7 Unix. So 8 character passwords were a thing for about 20 years.

I liked how the IBM Lotus suite hid password input behind a randomly-generated number of asterisks per key press.

Or listening to the number of keystrokes (although you can add random characters and then backspace to help mitigate this).

Video cameras are a thing too

It was directly a result of some of the choices made by Bell and plausibly Teletype.

Early switching computer systems that had user accounts at Bell also didn't echo back for passwords as some terminals were mixed-duplex, from what I've gleaned in the very odd corners of ESS systems. I suspect the idea is that the model they were working from were touchtone telephones and rotary phones, so numeric passcodes were the standard, and you heard & saw those already? Less noise on paper tapes? The possible list of options goes on and on.

Bell Labs was... Different than your average office or telco environment, I should add.

But that's a swag at best today, without knowing the people that worked on it.

It was also a time when not every employee had their own computer. It was very normal for pairs or groups of people to all huddle around a machine while working through a problem. It was also common to have someone behind you waiting for their "turn" to use the machine for their project.

The number of times i realized half way that I probably posted the wrong password and so I vigorously type the 'delete' key to reset the input is too damn high

Just type Control-U once.

The Just in that sentence is wholly unjustified. There are plenty of cli/tui/console/shell shortcuts that are incredibly useful, yet they are wholly undiscoverable and do not work cross-platform, e.g. shell motions between macOS and reasonable OSes.

> shell motions between macOS and reasonable OSes

All the movement commands I know work the same in the terminal on a default install of macOS as it does in the terminal on various Linux distros I use.

Ctrl+A to go to beginning of line

Ctrl+E to go to end of line

Esc, B to jump cursor one word backwards

Esc, F to jump cursor one word forward

Ctrl+W to delete backwards until beginning of word

And so on

Both in current versions of macOS where zsh is the default shell, and in older versions of macOS where bash was the default shell.

Am I misunderstanding what you are referring to by shell motions?

These are emacs bindings of yore. On macOS and some Linux DEs they also work in UI text fields :)

Yea, but ctrl + arrows to move cursor between ‘words’ don’t work, especially sad when SSH’ing in from linux. It works fine when using terminal on macOS - you just use command + arrows.

What happens when you press home or end?

In iTerm at least it goes to the beginning or end of current line.

The number of times I’ve attempted to use Ctrl-U in a Python shell only to discover it doesn’t work…

Haven't seen this - shouldn't this always work on unixy platforms? If using readline/editline it works, and if built without it also works.

It’s an internal, custom, vaguely UNIX-like shell in Windows. Typically I’m running Python from bash; Ctrl-U works under bash, but not Python.

> e.g. shell motions between macOS and reasonable OSes.

I forgot about this since I started NixOS/home-manager everywhere.

That's great. I've been using terminals for 20+ years, and never new about CTRL-U. Thanks! TIL.

It's built into the Unix terminal driver. Control-U is the default, but it can be changed with e.g. "stty kill". Libraries like readline also support it.

I only know this because of xkcd

The number of times I've posted my sudo password in a random slack channel instead of my terminal is not very high, but too damn high nonetheless

I have had a similar issue where I thought my computer went to sleep so I start typing my password while the monitor wakes up only to realize that it was only the screen that turned off and the computer was already unlocked so when I hit enter the password was sent into a slack thread or dm instead

Start your password with a forward slash :)

The trick is to use a plausible Slack message as your sudo password :)

“I quit!” Even includes a special character

"I, uhh, need your thoughts." should have fewer consequences AND be more secure.

Did you just type in your password on HN?

Get out of my head, lol :)

But yeh, never thought this was a problem anyone else delt with. My passwords are all a variant of my on "master password" and sometimes forget which session I'm in so trying to save keystrokes, count backward to where I think the cursor should be.

Had problems with faulty keyboards in the past too, never to be sure which keys were I pressed I had to type the password in a text file (much more insecure) and then paste it on the prompt. Of course this was never done in front of anyone, shoulder surfing was never an issue to begin with.

I agree that this move is good.

But you should not type sudo passwords on remote machine. Instead setup your machinr to have nopassword for special sdmin account and enable pubkey only authentication.

Yeah but am I going to really open another ssh connection just to run an admin specific command. They also didn't provide an admin user, it setup with all of the extra security configurations. You couldn't even `su`

I mean nopasswd option of sudo

Why is it better to have a nopassword admin account when using a machine remotely? The point of SSH is to resist mitm attacks, right? If someone could watch my keystrokes, I think I'd have bigger problems!

This resists scenarios where the machine you are running SSH from is compromised, and has a keylogger or something similar installed. SSH can't protect you from a local attacker (in fact, the SSH client binary itself could be the compromised part).

Yes, but if the server you’re logging into only accepts keys then leaking its password isn’t nearly as bad. Though I guess if your local ssh client is compromised then your local private keys are also compromised so you’d be screwed anyway (unless you are using a yubikey type of thing—I should get me one of those).

If I own both machines this doesn't seem entirely reasonable. (Of course a machine I own could be compromised but again, then I have other problems.)

Real men rawdog with root.

With sudo you can also give people specific access to commands.

I personally use the pam ssh agent module for this, that way you can use agent forwarding with sudo.

I did mean nopasswd option of sudo.

>a sudo prompt over a high latency ssh connection

i feel this in my bones.

does anybody know what level this change happens on? is this change going to affect ubuntu desktop users on any system they ssh into, or will it affect all users of a ubuntu server who have ssh'd in?

It's the sudo binary installed on the host -- if you're SSH'd to a 26.04 host, you'll see stars; if you're running 26.04 and SSH to a different OS, you won't (unless the remote system is also 26.04 or otherwise using rs-sudo)

I wonder if it'll stick though? Some years ago FreeBSD changed their setup so the initial password you set on install was echoed back to you so you could verify that the thing that'll completely lock you out of the system if you get it wrong is correctly set up. The response was total hysteria. Apparently people were setting up their 1U rack-mount servers while riding the No.8 bus and were worried other passengers were looking over their shoulders while they typed in the password. So they backed out of the change after being buried in a mountain of complaints.

One thing people are really, really good at is detecting others near them, because it was essential for not getting eaten back in the day. So the chances of (a) someone wanting to shoulder-surf (b) being close enough to do so and (c) getting away with it are essentially zero. It was a security measure that made sense in 1973 when you were on a model 33 leaving a printed record in a machine room with a dozen other people, but has been completely nonsensical for several decades.

Which is probably why it invokes so much irrational religious fervor.

Did that echo the password back on the screen or just asterisks?

You can tell if you input something or not, based on the blinking cursor, in which case it is not "frozen".

Unless you disable cursor blinking because you find it annoying (like I do).

Yeah, disabling cursor blinking is the first configuration I do in any terminal.

I mean a trivial solution to all of these work around a could have been each keystroke registers a single asterisk that goes away after a delay. You wouldn't reveal the length and you'd had a standard way of informing the user that their keystroke was registered.

It doesn’t tell you if backspace works, however.

I mostly use Mosh for that.

You could have avoided the worry completely. Ssh goes over tcp that does transport control (literally the “tc” in “tcp”) and this includes retransmission in case of packet loss.

If you are on a high latency ssh connection and your password does not register, you most likely mistyped it.

I am aware of that but you forgot the other conditions. Keys sometimes don't register, I'm not sure why but I do experience missing keystrokes.

The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.

Yea, add a VNC jump host and a flaky spice based terminal and there are a bunch of things that can make your input not register properly.

Somebody tell Apple to fix the login screen for MacOS as well. If your password is longer than the incredibly narrow box, you do not get any additional feedback that your characters are being entered.

Combine that with a flaky keyboard (say from a single grain of dust where it shouldn’t be) and you get a very annoying login experience. Over and over…

Oh my God, the MacOS login screen..

If you have Capslock set to change your keyboard language, and your computer locks with Capslock enabled, you literally can't type lowercase letters of your password. Capslock doesn't work, shift doesn't make it go lowercase - you literally just have to reboot to get back in.

That must be something you have changed, because if I have capslock enabled, it shows the capslock icon in the input field and the key is pressable to disable it for me.

> If you have CapsLock set to change your keyboard language

Yes

Could be an external keyboard state thing.

> If you have Capslock set to change your keyboard language, and your computer locks with Capslock enabled

How would your computer lock with capslock enabled? I.e. if capslock on that computer is set to change keyboard language?

Maybe they're saying the key rebound to serve as capslock doesn't work on the lock screen?

I felt this pain yesterday.

I use Open Core Legacy Patcher (OCLP) to run modern macOS on old Intel macs. The first time the computer boots after an upgrade (e.g. Sequoia 15.7.3 to 15.7.4), it is slow as a dog. Because the macOS upgrade clobbers all the OCLP driver patches.

By "slow", I mean each keystroke on the login screen takes about 20-30 seconds for the corresponding bullet to appear in the password box.

The login screen displays 13 bullets. My password is 18 characters long. (Scammers, don't get excited, it's a unique password that's not used anywhere else on the Internet...) So after 13 characters, I had no idea if the computer was actually working.

It seemed like there is a 6-8 character keyboard buffer limit. Or maybe I typed in my 18-character password wrong multiple times. I don't know. I would type 2 characters, then walk away, come back, then type 2-3 more characters. It took me about 4-5 attempts over 30 minutes to log in. Then I applied the OCLP patches and everything worked perfectly after that.

That's exactly the situation I wanted to avoid with our aging macbook. I knew it would be a hacky mess trying to keep beating that dead horse to get it to run the latest OS. We couldn't update some software that required us to be on the latest version of MacOS (Signal desktop), so the laptop became prematurely obsolete. We bought a Windows PC instead.

OCLP works fine.

What? Flaky keyboard? Speck of dust? Are we still doing this? Are you genuinely still using an Intel Mac? Christ.

I'd be even happier if everyone adopted the old school Lotus 1-2-3 password behavior.

I was much too young to use it myself, but I saw other people log in and it was amazing.

The glyphs denoting hidden password characters changed on every keystroke to indicate you were typing. And IIRC, they were cool characters like Egyptian hieroglyphs too. (Presumably this wasn't some hash of your actual password - that would actually be dumb. I do think it indicated password length, which could give away info, but it's also useful for the user.)

Edit: this is not exactly as I remember, but it might be the same system: https://security.stackexchange.com/questions/41247/changing-...

If that's how it was implemented, then that's not great.

You're thinking of Lotus Notes, a completely different product.

IIRC, originally it echoed one glyph per character typed, but later it definitely echoed 1 to 3 glyphs at random so it wouldn't leak your password length.

The password thing was pretty cool, but it's literally the only good thing about Lotus Notes, which was the most archaic and primitive piece of commercial GUI software I've ever used in 45 years of software experience. I last used it in 2003, and even then its UI was so archaic, it didn't adhere to behaviors (like keybindings, and other basic UI elements) that had been standard since the 80s.

Absolute garbage software.

Recent article: https://news.ycombinator.com/item?id=47385439

Take in this horror: the F500 i got my first job at was using Notes until 2021

Perhaps you'd enjoy something like the xsecurelock prompts? https://github.com/google/xsecurelock

You can opt-in for a "no visual echo" of any character (asterisk or not) for password prompts:

----

For KDE:

    sudo vim /etc/sddm.conf.d/hide-password.conf

insert in:

    [Greeter]
    ShowPasswordEcho=false

then reboot.

----

For `sudo`:

    sudo vim /etc/sudoers.d/password-no-visual-echo

Insert/replace `Defaults` with:

    Defaults !pwfeedback

----

For GNOME, you have to modify `unlockDialog.js`

    sudo vim /usr/share/gnome-shell/js/ui/unlockDialog.js

And do one of the following (version-specific):

    this._passwordEntry.clutter_text.set_password_char('');

or in newer version, replace `echo_char` with `null`. Reboot required.

Or just replace sudo-rs with sudo.

Opinionated security tools maintainers rarely get it right.

Can I change my password char to an emoji?

Only with GNOME

The "cinfiguration" for GNOME actually modifies the source code, so if that's the bar, you can do it everywhere. :)

In that case, I'll make mine echo a random number of characters pee key stroke. The feedback is nice but then there are no worries about someone observing password length.

I mean, Gnome being in JavaScript makes it easier

Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.

Do like Lotus Notes did and have it update a row of literal hieroglyphics on every keystroke.

This made me think, it seems like there used to be a lot more whimsy in computing. I'd love to see more of that.

Whimsy, and character.

Used to be that everything was trying to look different. Now it seems like everything is trying to look the same.

On the contrary, this discussion is how there was no character when you were typing your sudo password in in the olde times, and now there is a full asterisk per every password symbol you put in!

1) It definitely feels like we're out of Cambrian explosion period of experimentation

2) It's amazing the amount of (pseudo-) nostalgia that millenials, gen-Z and younger have for 90s-2010s computer aesthetic. The Amazing Digital Circus comes to mind for example

While I support this for the humour factor, it does make it much easier for a shoulder surfer to count characters, for whatever that's worth.

I would absolutely install this.

This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.

In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.

I also think it is a good decision. Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact. It is still a good decision, an one character password is useless from a security standpoint.

If it breaks the workflow of one person but makes it better for many more, it's likely a worthwhile tradeoff.

Just add an option to let holding space keep my feet warm. It only needs a few extra lines that won't change.

This has always been an option and your dad can just flip the default back to not show it

How much would unknown password length protect against bruteforcing a 1 character password?

> It is still a good decision, an one character password is useless from a security standpoint.

Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.

If you are brute forcing passwords, knowing the length only reduces the number of passwords to try by like 1 hundredth.

Drats, you're right. I thought it'd be worse, but the ratio seems to only depend on the number of letters in your character set: 1/count(letters in alphabet).

For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.

Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)

I’ve occasionally contemplated using some non-ASCII character like • or š in a password, but have backed off for fear of needing access from a device that doesn’t support input of those characters.

Its funny how a single japanese symbol would be harder to crack than the anglicized name for it

Do we know if the asterisks count Unicode code points rather than bytes?

Doesn't really matter, the IME shows the input until you confirm which kanji you want.

When the IME inserts the character, it'll be made up of multiple bytes because of the nature of UTF-8, so it may appear as multiple asterisks regardless.

It also give you the possibility of filtering out which ones are worth cracking and which ones not

It could also give useful priors for targeted attacks, "Their password is 5 characters, and their daughters name is also 5 characters, let's try variations of that".

Maybe this is far fetched, but you could get an LLM-based auto-research system to extract these potential relationships

Some system accessible to hackers who can see the length of the password /and/ having a single 5 char password has a security of a key under a doormat.

I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.

Yes… We're in the same room as the target… Let's look at their screen and see how long their password is.

Or, we could just look at the keyboard as they type and gain a lot more information.

In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.

And just sticking to counting, a not exceptionally well-trained ear could already count how many letters you typed and if you pressed backspace (at least with the double-width backspace, sound is definitely different)

Yeah I recall that there was an attack researchers demonstrated years back of using recordings of typing with an AI model to predict the typed text with some accuracy. Something to do with the timings of letter pairings, among other things.

93% - 95% accuracy and it wasn't even a good quality recording

> When trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model. When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium.

https://arxiv.org/abs/2308.01074

Notably, I believe this has to be tuned to each specific environment. The acoustics of your keyboard are going to be different from mine. Which is not much of a barrier, given a long enough session where you can presumably record them typing non password-y things.

"Let's look at their screen and see how long their password is." This article is about silent sudo.

Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.

But sure, if you're watching someone who types with one finger. Yes, I can see that.

How is learning only the length of the password better than watching someone type it?

Besides, observe that several times and you might get close. Look at the stars several times and learn nothing beyond what you learned the first time.

This whole type of attack hinges on the user using weak passwords with predictable elements in any case.

I tend to agree, and I work in security.

In the early days we all shared computers. People would often stand behind you waiting to use it. It might even not have a screen, just a teletype, so there would be a hard copy of everything you entered. We probably didn't have account lockout controls either. Knowing the length of a password (which did not tend to be long) could be a critical bit of info to reduce a brute force attack.

Nowadays, not so much I think. And if you are paranoid about it, you can still set it back to the silent behaviour.

On the other hand streaming is way, way more common nowadays.

> In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.

Not sure about that. I'm no expert but for high risk scenarios one might have to worry about binoculars from the building opposite your window, power line monitoring, and timing attacks. All scenarios where the attacker cannot see your hands/keyboard.

I like the idea of showing keystrokes, but I think that a 1:1 entry has arguably better alternatives.

The default entry on xsecurelock[^0] shows a character jumping on a line between keystrokes, which works well on giving key press feedback while visibly obfuscating password length,

    ________|_______________________    // after pressing a key it'd move around,
    ___________________|____________

Also, for anyone looking into preserving this last resort obfuscation behaviour you can do it with,

    # /etc/sudoers
    Defaults !pwfeedback

On NixOS (using sudo-rs),

    security.sudo-rs.extraConfig = ''
      # NixOS extraConfig
      # ===========
      Defaults !pwfeedback
    '';

I've got to say, if you were able to see me typing, you can probably record me doing so, bug my USB keyboard, or buy a $10 wrench. I guess for people streaming it might be worth it? I don't think it's a big enough deal to warrant the fuss around this change though, it's just an ok UX improvement that could be slightly better at retaining the sense of security.

[^0]: https://github.com/google/xsecurelock#options

Not giving away the length is mainly an assistance to people with really short passwords. Knowing that someone has a 12 character password doesn't help attackers much, but knowing that someone has a 6 character password would be really useful.

It's still not very useful to hide the length. If you don't know the length and just start guessing with passwords of length 0 it only adds about 1/N extra guesses where N is the alphabet size compared to guessing strictly the right length. So it is a very small savings to know the password length.

It might matter a bit more for dictionary-based attacks (you don't have to bother hashing dictionary permutations that don't match the expected length) but I still suspect it doesn't save you much.

That's only for targeted attacks.

For opportunistic attacks, this could help you identify those with short passwords and only attack them. This is a factor of N speedup where N is the pool of people you are interested in attacking.

It would be enough to just show a single character (* or some other to distinguish) if there is something typed in and show no character after using backspace to delete the typed password.

It doesn't make sense to show the exact amount of characters. It just leaks the password length.

Actually now that I think about it, showing the entered length is very useful, cause I often find myself entering the wrong password for something else, realizing 2/3 the way through and I have two options: to hold backspace for some random amount of time (usually for not nearly long enough cause there's no feedback as to how many characters remain to delete), or enter the wrong one and wait for the long ass delay to let me do it again.

On some systems I've gone as far as removing that delay. It's either that, reusing the same password everywhere, or losing my fucking mind. This should fix that wonderfully.

Maybe it works for <=10 character passwords, but it seems to me that if you are counting asterisks in a longer password because you lost track of you input, then you are better off using C-u to clear the password and enter it from scratch.

That said, with any feedback that confirms my key was pressed I can pretty much always correct a mistake using backspace without trouble (with backspace also having visual feedback).

I feel this is a good change as it also emphasizes window/terminal focus is at correct place and user do not unintentionally type the password to another focused place (chat etc.)

Why not just display a single character out of a changing set of characters such as / - \ | (starting with a random one from the set) after every character entered? That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.

There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.

I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.

Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.

If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?

I'm guessing that wasn't in the threat model at the time.

Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG".

What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually.

Yeah this reduces the time required to crack a password from

(# available characters) ^ (password length)

to

(# available characters) * (password length).

If you were patient you could crack someone's passwords by hand.

Back around 1996, Notes would show hieroglyphics that changed with each new password character.

Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.

Notes did indeed do that, and I as I recall it was three astrix characters per password character.

Unless of course your adversary can count. But if they can count they can also just count the number of keystrokes they hear, especially if you're recording it and they can spend time post processing the audio.

As a general rule, if you have an adversary that cares that much you’re probably doomed.

Presumably they’re capable of buying a $5 wrench to physically use against you.

Unless they want to compromise you secretly.

For a new Ubuntu user, that is probably more confusing than not echoing at all.

"That way you can be certain..." absolutely not.

Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.

Because that's still weird and confusing to people and still serves no purpose.

Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.

Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.

^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc

Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick.

Purpose:

> That way you can be certain whether or not you entered a character

And the shoulder surger can still count the number of times it changes so you might as well just be normal.

They can also count the number of keystrokes they heard.

The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture.

ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.

I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.

I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.

He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.

Surely looking at your screen seconds/minutes/hours later is the greater risk vector?

It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?

You are down-voted, but if we consider this to be the reason, it is indeed sad.

You can no longer filter out power users of computers based on their choice of OS alone. :D

Password recovery where you enter your mothers maiden name and favourite food.

I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?

What's the benefit of having a random character from a random set, instead of just a random character?

I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)

Ah, and the characters are supposed to be an ASCII spinner.

I think if I was new to Linux that would confuse the life out of me :)

There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.

If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.

The original suggestion included randomizing the first character of the set, which removes this attack.

They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.

Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.

Because you long forgot how confusing it was, that you can't see if your keystrokes are accepted by the machine. This is a change for people, that are new to Linux/Unix

Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.

kernel cmdline arguments set in the bootloader? though I'm not sure which has precedence

Good things always happen when you cater to the lowest common denominator.

I expect there's an audience selection bias at work: Fewer greybeards and more spiky haired teens reading HN.

I think it's an awful idea. Apart from making things less secure it also makes sudo's UX inconsistent with most of the other coreutils. Luckily, I don't plan on doing any more ubuntu installs.

So, the article says that sudo hid the password by default because of shared terminals and so on.

I would've thought it would've been a simple carry over from before terminals were glass. Like, yeah, I get up from a glass terminal and someone else goes to use it, but wouldn't the scrollback be cleared when I log out? But silent logins from before glass terminals makes a ton of sense; it would literally print your typed characters on a real, physical medium. having

    login: cool_user
    password: hunter2

sitting on a printout in a trash can? Yeah, obvious security issue.

I dunno, I take them at their word but if you had asked me why password prompts in the terminal don't echo, I would've guessed it was a carry-over from the days of real teletype terminals.

Not just that. There's no escape sequence to tell a terminal to draw every character input as something else and if there was, it may not have worked across all the different terminals out there.

I suppose you could do character buffering and quickly change to normal, print an asterisk, and back to silent mode in one write. But likely there's always some kind of edge case where things work differently. It's not difficult to disable so this may be better for the 99% and the 1% can change it back.

They could have just made it an option to enable the new behavior. There was no need to change the default.

As for security: 'shoulder surfing' may not be as much of a concern, but watching a livestream or presentation of someone who uses sudo will now expose the password length over the internet (and it's recorded for posterity, so all the hackers can find it later!). They've just introduced a new vulnerability to the remote world.

Someone live streaming is well attuned to the dangers of exposing personal information on screen, and will hesitate before ever typing a password while streaming. They'll either disable this feature or open a root shell before beginning their stream.

Besides, I can just amplify their stream to hear their keypresses.

This is really a non-issue, all password fields behave this way, so it's not like this is a new computer behavior. This change only aligns sudo to literally everything else.

> Someone live streaming is well attuned to the dangers of exposing personal information

You actually believe that every person in the world who shares their screen is aware of computer security best practices? Or are we only limiting this generalization to every one of the millions of YouTube/Twitch livestreamers?

> I can just amplify their stream to hear their keypresses.

Maybe if they have Cherry MX Blues? A normal keyboard would not get picked up by modern apps' recording noise suppression (the filters are designed to eliminate the sound rather than merely lower volume).

What I do believe is that every person in the world who arrives at a sudo prompt had previously entered a password into a field that echoed asterisks, and as such is prepared to appropriately conceal their password.

Why no need to make it the default? I’m all for rethinking legacy decisions.

It helps 99% of the user base and the security risk seems negligible.

Rethinking would imply there was thinking going on. This decision was made on vibes alone.

If anything, the people clinging to this snake oil security theater are the ones running on vibes alone.

I feel like livestreaming is a good example of an unusual situation where one might consider changing defaults that are otherwise good for the majority of users.

Also, I think the vulnerability of knowing that someone's password is exactly 19 characters long is low enough to be worth the tradeoff. Especially since someone on a livestream can also figure that out by listening for the keypresses.

An accessibility feature helps more people if is it is on by default.

There was already an option for a very long time, and in fact Mint had already changed the default since a long time ago (see e.g. https://forums.linuxmint.com/viewtopic.php?p=1572457).

Changing the default is the point, because people often just don't look into whether it's possible to configure things. They might not even get the idea that the asterisk feedback could be possible, or useful, until it's shown to them.

If your sudo password can be exposed by its length then you need a longer password. Hiding the length is just security theatre.

In your specific example livestreams usually have audio so the length is already public.

Yes, this mattered when 6 character passwords were common.

This is a very specific fear for a very niche sector of the userbase. sudo is the only case of a silent password I've encountered in my life and it's really uncomfortable.

How is exposing length of a password a vulnerability? My HN password is 16 characters long. Go and crack it.

Set it to 1-5 characters long, and let us know which you chose.

Why?

If I pick a random 1-5 character password out of the pool of possibilities, it's very very likely to be 5 characters, and letting you know it's not 1-4 characters does pretty much nothing to help you crack it.

If I'm acting reasonably, I don't randomize the length, I pick a length long enough for the amount of security I want, and in that situation telling you the exact length reduces that security by much less than one bit.

You're missing the point. If knowing the length of a password is helpful in cracking it, then it's already too short to be effective.

The question was:

> How is exposing length of a password a vulnerability?

You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.

Any password of a length that could feasibly be cracked by way of brute force (So up to perhaps 8?) would only save 1/N of the total time taken to crack it with N being the length if one were to know the exact length.

So yes, sure, technically there is an effect, but it's such a small effect, and only for people that should change their damn passwords already, that it's worth making the change for the improved UX.

They’d still need to have access to the device, so it shouldn’t be a problem unless other passwords are the same as your device password.

Also what demos are you doing that require sudo access to your local machine? That’s already pretty niche.

The same hackers could just listen to the key press sounds.

Related to the rust rewrite, I was real confused when I had a machine on Ubuntu 25 that had sudo-rs and I was trying to debug a five year old bash script from github and it kept throwing some strange errors. Turns out sudo-rs at least at the time was missing the flag for ask pass which was quite frustrating and rubbed me the wrong way due to the "rush for rust" and sudo-rs not being a drop in replacement yet. Also it also wasn't really documented how to go back to the old sudo which I found by just installing sudo and removing sudo-rs. I was already in the processes of dropping Ubuntu for Debian so that was long term fix for me.

How much information is there in knowing the length of someone's password?

If we know the password's length, it saves us from guessing any shorter passwords. For example, for a numeric password, knowing the length is 4 saves us from having to guess [blank], 0-9, 00-99 and 000-999. This lowers the number of possibilities from 1111 to 1000. The password has 90% of it's original strength. A [0-9a-zA-Z] password retains 98% of it's original strength

For any given alphabet A, and for any positive integer n, the set of strings of length n over A is a finite set, with (number of characters in A)^n elements.

The set of all strings, of any length over A, is an infinite set, because it is the union of all sets of strings of length n for each positive integer n.

So if you don't know the length of the password, there are infinite possibilities. If you do know the length of the password, there are only finite possibilities.

Which would in turn imply that there is an infinite amount of information in knowing the length of a password - the complement of the set of n-length strings over A in the set of strings over A contains an infinite number of elements, which you can safely exclude now that you know the password is part of the finite set of n-length strings over A.

Only if the password is infinitely long. Which it isn't. The only way knowing the length shaves off a significant amount of time during bruteforcing is if the password is already so short that the time save isn't relevant in the first place.

Absolute nonsense. Apart from the fact that password length is necessarily finite due to memory and time constraints, passwords aren't stored as clear text. You will get hash collisions, because the number of unique hashes is very much finite.

Your argument therefore doesn't apply in this context.

I'm glad to see this change. This was already the case for GUI password prompts, and I'm happy to see terminals following suit.

This wasn't someone seeing Chesterton's fence and deciding to knock it down thoughtlessly. This is a change that someone can in fact think all the way through and say "yeah, this should be changed, it's an improvement and doesn't cause any meaningful reduction in security".

Think of it this way: there’s a button to show your actual password in the majority of applications nowadays.

`sudo` and `login` are I think the only two tools I use that don’t provide any feedback.

Otherwise my entire life is behind a password database that lets me see my password in plaintext and otherwise shows the length of it as it’s typed. KeepassXC.

If knowing how the length of your password makes it easy to crack you probably have other problems

Knowing the length makes is defined easier, maybe not easy but easier.

It saves 1/Nth of the total time taken to brute force an N character password compared to starting from length 1. So any password where this is a significant fraction is so short that the time saved isn't really relevant.

So yes, "easier", technically. But not in any meaningful way.

Unless you attack a group and want to know which target has an easier to brute force password.

No, not really. If you have people watching you so closely, there’s a good chance they can watch your fingers on the keyboard, too. Maybe you’re sharing your screen for a presentation, this might be slightly ill advised, but then, you should run such things in a VM or container and use silly demo passwords.

People watching you through cameras through a window can more likely see your screen than your keyboard.

Or think of TEMPEST attacks

It really isn’t. The threat model is someone who can watch you type a sudo command, and has physical access to your computer to try to brute force combinations, or a way to access a backup of your hard drive or passwords file.

Knowing the length narrows down the search space some, but a meaningfully long password basically makes that knowledge useless, and again, it’s only useful if the approach they take is to try to physically possess your computer or obtain an encrypted backup.

A far more likely effort is going to be a spear fishing email, especially since if they have physical access to you they probably know a lot about you, and what services to spoof to get you to give them passwords, and so on.

Correct, it is not a meaningful reduction of security. In terms of information theory, the search-space reduction will not take make a strong password tractable. And that's leaving aside that you could already get that information via sound, or visually by looking at the keyboard. And GUIs already gave the length of the password, it was only some text-based applications that gave zero password feedback.

Conversely, making people more comfortable with security measures may well improve security; for instance, some people will have an easier time typing in longer and more complex passwords thanks to password feedback.

Usability is often a security feature.

If your password is long enough it doesn’t matter if they know it is say 16 characters and if it isn’t long enough it also doesn’t matter because they can just brute force all the potential lengths up to it. So yes it is just security theater.

Giving away the password length helps attackers to select the easier target.

That's an argument for telling people the strength of their password, and warning them when setting a weak password. It's not an argument for decreasing usability in a fashion that will make people less comfortable typing long, complex passwords.

It is not, from a statistical perspective.

I did this!

I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.

If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.

> The catalyst for Ubuntu’s change is sudo-rs

Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.

I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.

If anyone wants to rewrite PAM in Rust... :-D

https://github.com/linux-pam/linux-pam/issues/778

> If anyone wants to rewrite PAM in Rust... :-D

If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…

Ah, but then you choose the wrong language or language runtime and distros ship old versions for 10+ years :)

(compare: polkit. Both sides have their point, but I've been annoyed by this standoff a few times).

> There's no reason for it

The reason is to add a delay when bruteforcing passwords.

Bruteforcing is only really done with the password hashes in hand. Attacks on live systems are done with credential stuffing.

Definitely not for local password authentication, and I'm dubious it helps for ssh either. See my other comment.

Not for local password authentication.

https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...

Yes, for local password authentication.

The code you linked to isn't the code for a wrong password. It's a check to make sure you're using a TTY. That code isn't to prevent brute force. The delay there is 10 seconds.

The 2 second delay is in support.c at https://github.com/pibara/pam_unix/blob/5727103caa9404f03ef0...

It only runs if "nodelay" is not set. But you might have another pam module setting its own delay. I have pam_faildelay.so set in /etc/pam.d/login

Change both the config files and you can remove the delay if you want.

> Yes, for local password authentication.

It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid.

If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing.

It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all.

> Change both the config files and you can remove the delay if you want.

This is extremely complicated. See the comments in the issue for details.

No, it's very simple. Do what I said in my comment. Add nodelay to the options for pam_unix.so and set pam_faildelay.so delay=0

That's it. You didn't link to any issue and the weird mistakes and justifications you're making feels like arguing with an LLM.

You obviously can't run unix_chkpwd against a local account without root.

> You obviously can't run unix_chkpwd against a local account without root.

Wrong. At least check before you say something is obvious.

> No, it's very simple.

Even more wrong: https://github.com/linux-pam/linux-pam/issues/778#issuecomme...

> feels like arguing with an LLM

I could say the same about you, repeatedly and confidently asserting falsehoods.

No, I'm right. You can't run unix_chkpwd against a local account without root because you won't be able to access /etc/shadow to get the hash. If you think you can, explain how. Otherwise you have to use the setuid version which won't let you run it directly.

And I just removed the delay using my method. Perhaps try checking something yourself?

I don't understand how you can be so confidently wrong about something so easily checked. :D

> You can't run unix_chkpwd against a local account without root because you won't be able to access /etc/shadow to get the hash.

unix_chkpwd can access /etc/shadow because it is suid.

> Otherwise you have to use the setuid version which won't let you run it directly.

Haha you mean this?

  $ unix_chkpwd
  This binary is not designed for running in this way
  -- the system administrator has been informed

Take a look at the source code I linked about 6 comments ago!

> Perhaps try checking something yourself?

I have. You haven't.

  printf 'hunter2\0' | unix_chkpwd yourusername nullok; echo $?

How many people with a loud mechanical keyboard shut their microphone to type a password whem sharing their screen in an audio/video call?

A good life hack I figured out is to smear your laptop camera and microphone with sticky tack, not to totally disable them but to insufferably degrade them, then after a few attempts you can be excused from the expectation of ever appearing on video calls and can disable both permanently.

If you start by hitting backspace a few times and/or typing random characters and deleting them (to make sure the keyboard's working and sending your inputs where you think) it should obscure the length somewhat.

I was not thinking about the length but the actual keypress recognition. If you have enough recording of all kind of keypresses many keys/characters can be recognized from the waveform itself, including the backspace and delete ones.

I doubt this is a super common threat but I would expect it to be already applied by spies or "Jia Tan" like employees.

Hitting Home, End and Ins would "add" another 3 characters yet would not change the password. A full 100+ keyboard needed.

This was actually the thing that derailed my first attempt at Linux. I was like 14 or 15 and didn’t understand that concept so couldn’t log in lol

I hope any hold-outs who aren't convinced yet will be after reading this comment!

Did you wind up sticking with Windows (or Mac) for a long time after this? How long until you tried again?

“ That behaviour survived — untouched — through nearly half a century of Linux distributions” … LOL

Linus Torvalds is 56.

sudo is not the only thing that prompts for password in the terminal. There is at least passwd and ssh.

I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.

Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.

It surprises me how many applications don't give you the option to see your password in plain text as you enter it. The messaging around password security is that we should be making them complex and unique, but then password UIs make that as difficult to do as possible. Is visual password stealing really a bigger issue than weak passwords / password reuse?

Even weak passwords is almost a nonissue. No one gets even millions of tries against most passwords due to lockouts, whereas credential stuffing is a perpetual security nightmare.

Uniqueness is the number one thing that matters. The modal attack is a remote credential stuffing attack by someone trying millions of email/password combinations from a database.

This fixes another issue with that if you make a typo in your password, you don't know how many characters you need to delete, but now you would.

I find it's usually faster to hit ctrl-u and start over anyway.

I have a really long passphrase in keepassxc. I often try to type it, fail 50% of the time, display the password, fix the typo. I would not use a long passphrase otherwise. (I understand there are other risks, such as having spyware that is recording my screen, but my main worry is for the safety of the file itself)

I know sudo-rs will likely not allow viewing the password in the short term, but the benefit to being able to have some visual feedback, is that it lets me use a more complex password.

Other example: if I'm on a ssh link with very high latency (ex: on a phone), I might type one character at the time, make sure they register correctly, and continue. If I can't do that, then I'll type the password in a text editor, then copy-paste it into the password prompt.

That's been my solution too and it's never been an issue for me tbh.