[ale] Passwords displaying on multi-user system?

Jim Kinney jim.kinney at gmail.com
Tue Dec 11 17:01:59 EST 2018 

I've seen screen flashes of text but it's always been random library
code stuff and gdm errors. I've not used lightdm before. Bluntly, the
system should never be storing passwords in plain text using any
method. It's supposed to be flushed out or overwritten immediately when
the user entry is converted to salted:sha256 format. But this is more
of why X is notoriously insecure. 
It could also be a random thing that a user "saw" their password in
that half second and really perceived it as their password when it was
really just crap. Humans make patterns out of everything.
If someone has a camera with slow motion ability, have multiple people
log in then lock the screen and video the "sign in as another user"
process in slow motion. If the others see their password in the video,
notify Ubuntu and lightdm developers.
On Tue, 2018-12-11 at 15:02 -0600, Todor Fassl via Ale wrote:
> What do you all make of this report from an end user? The user is a
> grad student who shares an office with several other students.  Right
> now, there are 5 of them logged in, they've all failed to log out
> when they walked away from the machine.
>  > I was about to use the machine in my [shared] office just now, and
> had > to click "sign in as another user". In between that and the
> list of > usernames appearing, a black screen with white text on it
> popped up > for half a second tops. I noticed it showed my password
> in plain text, > and presumably some of the other text was other
> people's passwords.
> The system is a fully updated ubuntu bionic system using lightdm for
> the display manager.
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20181211/6b4a0bd0/attachment.html>

More information about the Ale mailing list