[systemd-devel] crypto: to show stars or not to show them

Lennart Poettering lennart at poettering.net
Tue Mar 15 20:30:29 PDT 2011


On Fri, 11.03.11 20:26, Jan Engelhardt (jengelh at medozas.de) wrote:

Heya,
 
> I have been made aware of showing stars when entering passwords for 
> crypttab volumes through systemd's integrated scripts/programs is 
> considered a "feature". Well, I don't concur there. Potential overseers 
> could count the stars, which is not so thrilling. Which is probably why 
> UNIX and/or its descendants have had no-stars password prompt pretty 
> much throughout (/bin/passwd, ssh, and whatelse you can think of).
> 
> Some argue that not showing stars makes it harder to backspace. That may 
> be true to some extent, since you don't know when to stop hitting 
> backspace. This in turn has led some programs to simply implement either 
> three-stars-per-char, but what is really wanted in such a case is simply 
> a way to merely start over. Sometimes enter works (in case of login 
> prompts that repeat forever, like getty or xdms), and for those programs 
> that would like to exit some day (passwd, cryptsetup, etc.), catching ^C 
> or perhaps ^\ might be in order.

Well I don't agree with your findings, for a couple of reasons: we have
been showing asterisks on the password prompt in plymouth when it shows
no graphical UI since about always, so this isn't really a change,
except that we now do so for plymouth-less prompts too. Then, this is
probably the only non-graphical password prompt a user might ever
see. After X is up all password prompts do give input feedback, hence it
is highly surprising for the user if this one doesn't. Finally, during
bootup a lot of output is generated in parallel, which often makes it
hard to see the password prompt. Hence some input feedback when the user
types his passphrase is very important and helpful.

If you pass_phrase_ is so short that it is not even a pass_word_, just a
pass_character_, then I think the right fix is not to make invisible
that the key is so short, but pick a longer key where this doesn't
matter.

I think the main reason why most Unix apps haven't done anything like
this is mostly that it isn't completely trivial to implement this (just
turning of echo is trivial OTH). Also, the traditional Unix user was
well versed in Unix, and knew this behaviour. And finally, traditionally
stuff like this was executed strictly serialized, to the effect that the
prompt could not be overprinted by something else until the user
actually entered something.

I am not aware of any complaints like this regarding password prompts in
gdm or similar, although traditionally Unix user passwords have been
much shorter than disk passphrases. (In fact already the wording chosen
makes that clear, 'password' vs. 'passphrase').

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list