[ale] Passwords displaying on multi-user system?

Todor Fassl fassl.tod at gmail.com
Wed Dec 12 09:16:28 EST 2018 

Correction: This was on a machine using gdm as the display manager.

Yeah, my take was the humans make patterns out of everything thing. He 
said it flashed on the screen for half a second.

Even to keep multiple user passwords in memory, much less to display 
them, would be a huge security flaw. Why would any display manager do 
that? The password has no use once the user has been authenticated. It 
doesn't seem likely to me that a bug like this could evenexist in gdm.

I have already told my manager that I believe this is a Loch Ness 
Monster sighting. But I thought I would see what you folks said.

On 12/11/18 4:01 PM, Jim Kinney wrote:
> I've seen screen flashes of text but it's always been random library 
> code stuff and gdm errors. I've not used lightdm before. Bluntly, the 
> system should never be storing passwords in plain text using any method. 
> It's supposed to be flushed out or overwritten immediately when the user 
> entry is converted to salted:sha256 format. But this is more of why X is 
> notoriously insecure.
> 
> It could also be a random thing that a user "saw" their password in that 
> half second and really perceived it as their password when it was really 
> just crap. Humans make patterns out of everything.
> 
> If someone has a camera with slow motion ability, have multiple people 
> log in then lock the screen and video the "sign in as another user" 
> process in slow motion. If the others see their password in the video, 
> notify Ubuntu and lightdm developers.
> 
> On Tue, 2018-12-11 at 15:02 -0600, Todor Fassl via Ale wrote:
>> What do you all make of this report from an end user? The user is a grad
>> student who shares an office with several other students.  Right now,
>> there are 5 of them logged in, they've all failed to log out when they
>> walked away from the machine.
>>
>>   > I was about to use the machine in my [shared] office just now, and had
>>   > to click "sign in as another user". In between that and the list of
>>   > usernames appearing, a black screen with white text on it popped up
>>   > for half a second tops. I noticed it showed my password in plain text,
>>   > and presumably some of the other text was other people's passwords.
>>
>> The system is a fully updated ubuntu bionic system using lightdm for the
>> display manager.
>>
> -- 
> 
> James P. Kinney III
> 
> Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his
> own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> 
> http://heretothereideas.blogspot.com/
> 

-- 
Todd

More information about the Ale mailing list