[ale] Passwords displaying on multi-user system?

Jim Kinney jim.kinney at gmail.com
Wed Dec 12 14:47:10 EST 2018


Ha! Nessie sighting indeed!

GDM doesn't directly handle login. It calls a library, draws a box, and the box content is owned by the library call. The login security is perhaps the only secure thing in X.

Yeah. Nessie was spotted. Say 'HI' for us all.  :-)

On December 12, 2018 9:16:28 AM EST, Todor Fassl <fassl.tod at gmail.com> wrote:
>Correction: This was on a machine using gdm as the display manager.
>
>Yeah, my take was the humans make patterns out of everything thing. He 
>said it flashed on the screen for half a second.
>
>Even to keep multiple user passwords in memory, much less to display 
>them, would be a huge security flaw. Why would any display manager do 
>that? The password has no use once the user has been authenticated. It 
>doesn't seem likely to me that a bug like this could evenexist in gdm.
>
>I have already told my manager that I believe this is a Loch Ness 
>Monster sighting. But I thought I would see what you folks said.
>
>On 12/11/18 4:01 PM, Jim Kinney wrote:
>> I've seen screen flashes of text but it's always been random library 
>> code stuff and gdm errors. I've not used lightdm before. Bluntly, the
>
>> system should never be storing passwords in plain text using any
>method. 
>> It's supposed to be flushed out or overwritten immediately when the
>user 
>> entry is converted to salted:sha256 format. But this is more of why X
>is 
>> notoriously insecure.
>> 
>> It could also be a random thing that a user "saw" their password in
>that 
>> half second and really perceived it as their password when it was
>really 
>> just crap. Humans make patterns out of everything.
>> 
>> If someone has a camera with slow motion ability, have multiple
>people 
>> log in then lock the screen and video the "sign in as another user" 
>> process in slow motion. If the others see their password in the
>video, 
>> notify Ubuntu and lightdm developers.
>> 
>> On Tue, 2018-12-11 at 15:02 -0600, Todor Fassl via Ale wrote:
>>> What do you all make of this report from an end user? The user is a
>grad
>>> student who shares an office with several other students.  Right
>now,
>>> there are 5 of them logged in, they've all failed to log out when
>they
>>> walked away from the machine.
>>>
>>>   > I was about to use the machine in my [shared] office just now,
>and had
>>>   > to click "sign in as another user". In between that and the list
>of
>>>   > usernames appearing, a black screen with white text on it popped
>up
>>>   > for half a second tops. I noticed it showed my password in plain
>text,
>>>   > and presumably some of the other text was other people's
>passwords.
>>>
>>> The system is a fully updated ubuntu bionic system using lightdm for
>the
>>> display manager.
>>>
>> -- 
>> 
>> James P. Kinney III
>> 
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his
>> own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>> 
>> http://heretothereideas.blogspot.com/
>> 
>
>-- 
>Todd

-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20181212/47e51c19/attachment.html>


More information about the Ale mailing list