[ale] Passwords displaying on multi-user system?

Ed Cashin ecashin at noserose.net
Wed Dec 12 09:36:57 EST 2018 

Did you take a slow motion video to see whether the Loch Ness monster
is real or not?

On Wed, Dec 12, 2018 at 9:16 AM Todor Fassl via Ale <ale at ale.org> wrote:
>
> Correction: This was on a machine using gdm as the display manager.
>
> Yeah, my take was the humans make patterns out of everything thing. He
> said it flashed on the screen for half a second.
>
> Even to keep multiple user passwords in memory, much less to display
> them, would be a huge security flaw. Why would any display manager do
> that? The password has no use once the user has been authenticated. It
> doesn't seem likely to me that a bug like this could evenexist in gdm.
>
> I have already told my manager that I believe this is a Loch Ness
> Monster sighting. But I thought I would see what you folks said.
>
> On 12/11/18 4:01 PM, Jim Kinney wrote:
> > I've seen screen flashes of text but it's always been random library
> > code stuff and gdm errors. I've not used lightdm before. Bluntly, the
> > system should never be storing passwords in plain text using any method.
> > It's supposed to be flushed out or overwritten immediately when the user
> > entry is converted to salted:sha256 format. But this is more of why X is
> > notoriously insecure.
> >
> > It could also be a random thing that a user "saw" their password in that
> > half second and really perceived it as their password when it was really
> > just crap. Humans make patterns out of everything.
> >
> > If someone has a camera with slow motion ability, have multiple people
> > log in then lock the screen and video the "sign in as another user"
> > process in slow motion. If the others see their password in the video,
> > notify Ubuntu and lightdm developers.
> >
> > On Tue, 2018-12-11 at 15:02 -0600, Todor Fassl via Ale wrote:
> >> What do you all make of this report from an end user? The user is a grad
> >> student who shares an office with several other students.  Right now,
> >> there are 5 of them logged in, they've all failed to log out when they
> >> walked away from the machine.
> >>
> >>   > I was about to use the machine in my [shared] office just now, and had
> >>   > to click "sign in as another user". In between that and the list of
> >>   > usernames appearing, a black screen with white text on it popped up
> >>   > for half a second tops. I noticed it showed my password in plain text,
> >>   > and presumably some of the other text was other people's passwords.
> >>
> >> The system is a fully updated ubuntu bionic system using lightdm for the
> >> display manager.
> >>
> > --
> >
> > James P. Kinney III
> >
> > Every time you stop a school, you will have to build a jail. What you
> > gain at one end you lose at the other. It's like feeding a dog on his
> > own tail. It won't fatten the dog.
> > - Speech 11/23/1900 Mark Twain
> >
> > http://heretothereideas.blogspot.com/
> >
>
> --
> Todd
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



-- 
  Ed Cashin <ecashin at noserose.net>

More information about the Ale mailing list