Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

Posted by akersten 14 hours ago

Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords(pbxscience.com)

210 points | 238 comments

koolba 24 minutes ago|

Somebody tell Apple to fix the login screen for MacOS as well. If your password is longer than the incredibly narrow box, you do not get any additional feedback that your characters are being entered.

Combine that with a flaky keyboard (say from a single grain of dust where it shouldn’t be) and you get a very annoying login experience. Over and over…

written-beyond 12 hours ago||

The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.

These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.

I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.

ornornor 2 hours ago||

Around 2004 someone gave me Linux CDs (I think it was mandrake?) that I tried to install. And I got stuck at the password input part of the setup, I thought it didn’t work and went back to windows. I didn’t start using Linux until 13 years later… I think I’d have switched much earlier if not for that weird UI decision.

tankenmate 1 hour ago||

This decision long predates Linux. It's been a staple back to the earliest days of Unix; and it isn't a weird decision if you take into consideration of multi user systems in office environments that have non trivial security considerations (for example telecoms companies), which is exactly where Unix came from.

wartywhoa23 35 minutes ago||

Well, if leaking the length of the password is such a big deal, why not just use a reasonably long password?

Moreover, if someone can see the number of asterisks on the screen, what prevents them from seeing the actual keys that are being pressed?

mbesto 2 hours ago|||

The number of times i realized half way that I probably posted the wrong password and so I vigorously type the 'delete' key to reset the input is too damn high

hilliardfarmer 2 hours ago|||

Get out of my head, lol :)

But yeh, never thought this was a problem anyone else delt with. My passwords are all a variant of my on "master password" and sometimes forget which session I'm in so trying to save keystrokes, count backward to where I think the cursor should be.

larsbrinkhoff 2 hours ago||||

Just type Control-U once.

eptcyka 2 hours ago||

The Just in that sentence is wholly unjustified. There are plenty of cli/tui/console/shell shortcuts that are incredibly useful, yet they are wholly undiscoverable and do not work cross-platform, e.g. shell motions between macOS and reasonable OSes.

QuantumNomad_ 1 hour ago||

> shell motions between macOS and reasonable OSes

All the movement commands I know work the same in the terminal on a default install of macOS as it does in the terminal on various Linux distros I use.

Ctrl+A to go to beginning of line

Ctrl+E to go to end of line

Esc, B to jump cursor one word backwards

Esc, F to jump cursor one word forward

Ctrl+W to delete backwards until beginning of word

And so on

Both in current versions of macOS where zsh is the default shell, and in older versions of macOS where bash was the default shell.

Am I misunderstanding what you are referring to by shell motions?

eptcyka 26 minutes ago||

Yea, but ctrl + arrows to move cursor between ‘words’ don’t work, especially sad when SSH’ing in from linux. It works fine when using terminal on macOS - you just use command + arrows.

amarant 53 minutes ago|||

The number of times I've posted my sudo password in a random slack channel instead of my terminal is not very high, but too damn high nonetheless

augusto-moura 10 hours ago|||

Had problems with faulty keyboards in the past too, never to be sure which keys were I pressed I had to type the password in a text file (much more insecure) and then paste it on the prompt. Of course this was never done in front of anyone, shoulder surfing was never an issue to begin with.

johnisgood 2 hours ago|||

You can tell if you input something or not, based on the blinking cursor, in which case it is not "frozen".

semanticc 2 hours ago||

Unless you disable cursor blinking because you find it annoying (like I do).

setopt 11 minutes ago||

Yeah, disabling cursor blinking is the first configuration I do in any terminal.

ghighi7878 9 hours ago|||

I agree that this move is good.

But you should not type sudo passwords on remote machine. Instead setup your machinr to have nopassword for special sdmin account and enable pubkey only authentication.

Wowfunhappy 1 hour ago|||

Why is it better to have a nopassword admin account when using a machine remotely? The point of SSH is to resist mitm attacks, right? If someone could watch my keystrokes, I think I'd have bigger problems!

written-beyond 9 hours ago||||

Yeah but am I going to really open another ssh connection just to run an admin specific command. They also didn't provide an admin user, it setup with all of the extra security configurations. You couldn't even `su`

ghighi7878 56 minutes ago||

I mean nopasswd option of sudo

wolvoleo 2 hours ago|||

With sudo you can also give people specific access to commands.

I personally use the pam ssh agent module for this, that way you can use agent forwarding with sudo.

ghighi7878 57 minutes ago||

I did mean nopasswd option of sudo.

znpy 9 hours ago||

You could have avoided the worry completely. Ssh goes over tcp that does transport control (literally the “tc” in “tcp”) and this includes retransmission in case of packet loss.

If you are on a high latency ssh connection and your password does not register, you most likely mistyped it.

written-beyond 7 hours ago||

I am aware of that but you forgot the other conditions. Keys sometimes don't register, I'm not sure why but I do experience missing keystrokes.

The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.

vman81 6 hours ago||

Yea, add a VNC jump host and a flaky spice based terminal and there are a bunch of things that can make your input not register properly.

0xbadcafebee 2 hours ago||

They could have just made it an option to enable the new behavior. There was no need to change the default.

As for security: 'shoulder surfing' may not be as much of a concern, but watching a livestream or presentation of someone who uses sudo will now expose the password length over the internet (and it's recorded for posterity, so all the hackers can find it later!). They've just introduced a new vulnerability to the remote world.

post-it 1 hour ago||

Someone live streaming is well attuned to the dangers of exposing personal information on screen, and will hesitate before ever typing a password while streaming. They'll either disable this feature or open a root shell before beginning their stream.

Besides, I can just amplify their stream to hear their keypresses.

halapro 1 hour ago||

This is really a non-issue, all password fields behave this way, so it's not like this is a new computer behavior. This change only aligns sudo to literally everything else.

roger_ 1 hour ago|||

Why no need to make it the default? I’m all for rethinking legacy decisions.

It helps 99% of the user base and the security risk seems negligible.

pvillano 2 hours ago|||

An accessibility feature helps more people if is it is on by default.

zarzavat 27 minutes ago|||

If your sudo password can be exposed by its length then you need a longer password. Hiding the length is just security theatre.

In your specific example livestreams usually have audio so the length is already public.

jandrese 1 hour ago|||

I feel like livestreaming is a good example of an unusual situation where one might consider changing defaults that are otherwise good for the majority of users.

Also, I think the vulnerability of knowing that someone's password is exactly 19 characters long is low enough to be worth the tradeoff. Especially since someone on a livestream can also figure that out by listening for the keypresses.

boca_honey 1 hour ago||

This is a very specific fear for a very niche sector of the userbase. sudo is the only case of a silent password I've encountered in my life and it's really uncomfortable.

b0ringdeveloper 5 hours ago||

Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.

chuckadams 1 hour ago||

Do like Lotus Notes did and have it update a row of literal hieroglyphics on every keystroke.

the_real_cher 3 hours ago||

I would absolutely install this.

dtech 12 hours ago||

This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.

In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.

ahofmann 11 hours ago||

I also think it is a good decision. Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact. It is still a good decision, an one character password is useless from a security standpoint.

airstrike 2 hours ago|||

If it breaks the workflow of one person but makes it better for many more, it's likely a worthwhile tradeoff.

wartywhoa23 27 minutes ago||||

How much would unknown password length protect against bruteforcing a 1 character password?

zx8080 11 hours ago||||

> It is still a good decision, an one character password is useless from a security standpoint.

Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.

ludston 10 hours ago||

If you are brute forcing passwords, knowing the length only reduces the number of passwords to try by like 1 hundredth.

elcritch 10 hours ago|||

Drats, you're right. I thought it'd be worse, but the ratio seems to only depend on the number of letters in your character set: 1/count(letters in alphabet).

For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.

Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)

dhosek 2 hours ago|||

I’ve occasionally contemplated using some non-ASCII character like • or š in a password, but have backed off for fear of needing access from a device that doesn’t support input of those characters.

Obscurity4340 7 hours ago|||

Its funny how a single japanese symbol would be harder to crack than the anglicized name for it

LoganDark 2 hours ago||

Do we know if the asterisks count Unicode code points rather than bytes?

Izkata 2 hours ago||

Doesn't really matter, the IME shows the input until you confirm which kanji you want.

LoganDark 1 hour ago||

When the IME inserts the character, it'll be made up of multiple bytes because of the nature of UTF-8, so it may appear as multiple asterisks regardless.

egeres 10 hours ago|||

It also give you the possibility of filtering out which ones are worth cracking and which ones not

elcritch 10 hours ago||

It could also give useful priors for targeted attacks, "Their password is 5 characters, and their daughters name is also 5 characters, let's try variations of that".

justsomehnguy 22 minutes ago||

Some system accessible to hackers who can see the length of the password /and/ having a single 5 char password has a security of a key under a doormat.

brnt 11 hours ago|||

I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.

MattPalmer1086 10 hours ago|||

I tend to agree, and I work in security.

In the early days we all shared computers. People would often stand behind you waiting to use it. It might even not have a screen, just a teletype, so there would be a hard copy of everything you entered. We probably didn't have account lockout controls either. Knowing the length of a password (which did not tend to be long) could be a critical bit of info to reduce a brute force attack.

Nowadays, not so much I think. And if you are paranoid about it, you can still set it back to the silent behaviour.

tester756 10 hours ago||

On the other hand streaming is way, way more common nowadays.

Freak_NL 11 hours ago||

Yes… We're in the same room as the target… Let's look at their screen and see how long their password is.

Or, we could just look at the keyboard as they type and gain a lot more information.

In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.

darkwater 10 hours ago|||

And just sticking to counting, a not exceptionally well-trained ear could already count how many letters you typed and if you pressed backspace (at least with the double-width backspace, sound is definitely different)

elcritch 10 hours ago||

Yeah I recall that there was an attack researchers demonstrated years back of using recordings of typing with an AI model to predict the typed text with some accuracy. Something to do with the timings of letter pairings, among other things.

vova_hn2 1 hour ago||

93% - 95% accuracy and it wasn't even a good quality recording

> When trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model. When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium.

https://arxiv.org/abs/2308.01074

3eb7988a1663 1 hour ago||

Notably, I believe this has to be tuned to each specific environment. The acoustics of your keyboard are going to be different from mine. Which is not much of a barrier, given a long enough session where you can presumably record them typing non password-y things.

SapporoChris 10 hours ago|||

"Let's look at their screen and see how long their password is." This article is about silent sudo.

Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.

But sure, if you're watching someone who types with one finger. Yes, I can see that.

Freak_NL 10 hours ago||

How is learning only the length of the password better than watching someone type it?

Besides, observe that several times and you might get close. Look at the stars several times and learn nothing beyond what you learned the first time.

This whole type of attack hinges on the user using weak passwords with predictable elements in any case.

JoshTriplett 1 hour ago||

I'm glad to see this change. This was already the case for GUI password prompts, and I'm happy to see terminals following suit.

This wasn't someone seeing Chesterton's fence and deciding to knock it down thoughtlessly. This is a change that someone can in fact think all the way through and say "yeah, this should be changed, it's an improvement and doesn't cause any meaningful reduction in security".

croes 58 minutes ago|

So giving others a way to know the length of your password isn’t a meaningful reduction of security?

CDSlice 14 minutes ago|||

If your password is long enough it doesn’t matter if they know it is say 16 characters and if it isn’t long enough it also doesn’t matter because they can just brute force all the potential lengths up to it. So yes it is just security theater.

christophilus 54 minutes ago||||

No, not really. If you have people watching you so closely, there’s a good chance they can watch your fingers on the keyboard, too. Maybe you’re sharing your screen for a presentation, this might be slightly ill advised, but then, you should run such things in a VM or container and use silly demo passwords.

croes 15 minutes ago||

People watching you through cameras through a window can more likely see your screen than your keyboard.

Or think of TEMPEST attacks

wolttam 34 minutes ago|||

Think of it this way: there’s a button to show your actual password in the majority of applications nowadays.

`sudo` and `login` are I think the only two tools I use that don’t provide any feedback.

Otherwise my entire life is behind a password database that lets me see my password in plaintext and otherwise shows the length of it as it’s typed. KeepassXC.

If knowing how the length of your password makes it easy to crack you probably have other problems

croes 18 minutes ago||

Knowing the length makes is defined easier, maybe not easy but easier.

Tepix 12 hours ago||

Why not just display a single character out of a changing set of characters such as / - \ | (starting with a random one from the set) after every character entered? That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.

drysart 11 hours ago||

There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.

I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.

orthoxerox 10 hours ago|||

Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.

extraduder_ire 1 hour ago||

If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?

I'm guessing that wasn't in the threat model at the time.

qnleigh 21 minutes ago||

Yeah this reduces the time required to crack a password from

(# available characters) ^ (password length)

(# available characters) * (password length).

If you were patient you could crack someone's passwords by hand.

CoastalCoder 11 hours ago||||

Back around 1996, Notes would show hieroglyphics that changed with each new password character.

ErroneousBosh 10 hours ago||||

Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.

magicalhippo 10 hours ago|||

Notes did indeed do that, and I as I recall it was three astrix characters per password character.

jandrese 1 hour ago|||

Unless of course your adversary can count. But if they can count they can also just count the number of keystrokes they hear, especially if you're recording it and they can spend time post processing the audio.

gzread 12 hours ago|||

Because that's still weird and confusing to people and still serves no purpose.

creatonez 11 hours ago|||

Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.

Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.

^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc

opan 6 hours ago||

Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick.

nananana9 12 hours ago|||

Purpose:

> That way you can be certain whether or not you entered a character

gzread 12 hours ago|||

And the shoulder surger can still count the number of times it changes so you might as well just be normal.

They can also count the number of keystrokes they heard.

Tepix 11 hours ago|||

The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture.

oneeyedpigeon 11 hours ago||||

Surely looking at your screen seconds/minutes/hours later is the greater risk vector?

ErroneousBosh 10 hours ago|||

ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.

I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.

I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.

He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.

blackhaz 11 hours ago|||

It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?

johnisgood 1 hour ago|||

You are down-voted, but if we consider this to be the reason, it is indeed sad.

You can no longer filter out power users of computers based on their choice of OS alone. :D

rabf 11 hours ago|||

Password recovery where you enter your mothers maiden name and favourite food.

g947o 10 hours ago|||

For a new Ubuntu user, that is probably more confusing than not echoing at all.

"That way you can be certain..." absolutely not.

ErroneousBosh 10 hours ago|||

Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.

jadamson 12 hours ago||

I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?

What's the benefit of having a random character from a random set, instead of just a random character?

oneeyedpigeon 11 hours ago|||

I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)

jadamson 11 hours ago||

Ah, and the characters are supposed to be an ASCII spinner.

I think if I was new to Linux that would confuse the life out of me :)

NiloCK 11 hours ago||||

There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.

ordu 9 hours ago||

If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.

NiloCK 4 hours ago||

The original suggestion included randomizing the first character of the set, which removes this attack.

DrawTR 11 hours ago|||

They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.

mzajc 47 minutes ago||

A few years ago, [0] made the following point in regards to password input feedback:

> For a time, there was rich pickings in applications that accepted passwords in unbuffered mode. Many of them doing it so that they could echo "*" symbols, character by character, as the user typed. That simple feature looks cool, and does give the user feedback ... but would leak the keystroke rate, which is the last thing you want on password entry.

This was in response to keystroke timing defense on SSH. Does this feature still come with the risk of leaking keystroke timing to an attacker with recent OpenSSH/Dropbear versions? If so, it might be wise to keep it disabled on servers.

[0]: https://news.ycombinator.com/item?id=37309122

dhsbdisnd 6 minutes ago||

Seems like a decision made by and for a generation that has no regard and no understanding for UNIX.

throwatdem12311 19 minutes ago|

I switched back to GNU coreutils and “regular” sudo, so I’m assuming this won’t affect me when I upgrade?

More comments...