[ale] Passwords displaying on multi-user system?

Todor Fassl fassl.tod at gmail.com
Fri Dec 14 09:19:52 EST 2018 

Well, by way of highjacking my own thread, I have to tell you a story. I 
was taking a walk with my wife and our dog. We got about a half a block 
from home and I saw a flying saucer hovering over our house. Clear as 
could be. It was white with a greyish dome on the top. The thought 
flashed through my mind, "Oh man, all these yers I've been making fun of 
the people who believed in little green men. I am going to look so 
stupid now. By the way, are we being invaded? Am I going to be lunch for 
some reptilian humanoid?"

I pointed up at the thing and said, "Look at that thing hovering over 
our house!" And my wife is like, "What? I don't see anything." I said, 
"What? How can you not see that! That ... thing over our house?! The 
flying saucer? You don't see that?"

So then I thought it had some kind invisibility screen that didn't work 
on me for some reason. And then, at that moment, a slight change of 
perspective snapped me back to reality and I realized it was just a cloud.

Its a funny story but it has been a huge problem for me over the years. 
I cannot tell my wife anything unusual or surpriseing without her asking 
if I'm sure this is not just another flying saucer-cloud.

On 12/12/18 1:47 PM, Jim Kinney wrote:
> Ha! Nessie sighting indeed!
> 
> GDM doesn't directly handle login. It calls a library, draws a box, and 
> the box content is owned by the library call. The login security is 
> perhaps the only secure thing in X.
> 
> Yeah. Nessie was spotted. Say 'HI' for us all. :-)
> 
> On December 12, 2018 9:16:28 AM EST, Todor Fassl <fassl.tod at gmail.com> 
> wrote:
> 
>     Correction: This was on a machine using gdm as the display manager.
> 
>     Yeah, my take was the humans make patterns out of everything thing. He
>     said it flashed on the screen for half a second.
> 
>     Even to keep multiple user passwords in memory, much less to display
>     them, would be a huge security flaw. Why would any display manager do
>     that? The password has no use once the user has been authenticated. It
>     doesn't seem likely to me that a bug like this could evenexist in gdm.
> 
>     I have already told my manager that I believe this is a Loch Ness
>     Monster sighting. But I thought I would see what you folks said.
> 
>     On 12/11/18 4:01 PM, Jim Kinney wrote:
> 
>         I've seen screen flashes of text but it's always been random
>         library
>         code stuff and gdm errors. I've not used lightdm before.
>         Bluntly, the
>         system should never be storing passwords in plain text using any
>         method.
>         It's supposed to be flushed out or overwritten immediately when
>         the user
>         entry is converted to salted:sha256 format. But this is more of
>         why X is
>         notoriously insecure.
> 
>         It could also be a random thing that a user "saw" their password
>         in that
>         half second and really perceived it as their password when it
>         was really
>         just crap. Humans make patterns out of everything.
> 
>         If someone has a camera with slow motion ability, have multiple
>         people
>         log in then lock the screen and video the "sign in as another user"
>         process in slow motion. If the others see their password in the
>         video,
>         notify Ubuntu and lightdm developers.
> 
>         On Tue, 2018-12-11 at 15:02 -0600, Todor Fassl via Ale wrote:
> 
>             What do you all make of this report from an end user? The
>             user is a grad
>             student who shares an office with several other students.
>             Right now,
>             there are 5 of them logged in, they've all failed to log out
>             when they
>             walked away from the machine.
> 
>                 I was about to use the machine in my [shared] office
>                 just now, and had
>                 to click "sign in as another user". In between that and
>                 the list of
>                 usernames appearing, a black screen with white text on
>                 it popped up
>                 for half a second tops. I noticed it showed my password
>                 in plain text,
>                 and presumably some of the other text was other people's
>                 passwords.
> 
> 
>             The system is a fully updated ubuntu bionic system using
>             lightdm for the
>             display manager.
> 
>         -- 
> 
>         James P. Kinney III
> 
>         Every time you stop a school, you will have to build a jail.
>         What you
>         gain at one end you lose at the other. It's like feeding a dog
>         on his
>         own tail. It won't fatten the dog.
>         - Speech 11/23/1900 Mark Twain
> 
>         http://heretothereideas.blogspot.com/
> 
> 
> -- 
> Sent from my Android device with K-9 Mail. All tyopes are thumb related 
> and reflect authenticity.

-- 
Todd

More information about the Ale mailing list