Bug 32794 - xdm gives away password length
Summary: xdm gives away password length
Alias: None
Product: xorg
Classification: Unclassified
Component: App/xdm (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: Alan Coopersmith
QA Contact: Xorg Project Team
Depends on:
Reported: 2011-01-03 06:17 UTC by Ferenc Wágner
Modified: 2011-03-04 03:56 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Ferenc Wágner 2011-01-03 06:17:40 UTC
http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=8463017f7de43fe0a8ec144faca6bbf43168ebf9 introduced a change which does give away the password length -- even if not as blatantly as usual. Still, it's a step backwards. Please, get rid of it or make it configurable at least. The related Debian bug is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575486. Thanks.
Comment 1 Alan Coopersmith 2011-01-03 07:28:30 UTC
Really, someone close enough to count the number of pixels can count the
number of times they heard your fingers press a key down - I can't get
excited about this as a huge information leak.   That said, I've been 
thinking about getting rid of this code anyway now that we have password
asterisks for feedback, so it may go away or become configurable at some
Comment 2 Ferenc Wágner 2011-01-04 03:40:35 UTC
I mostly agree, but still wanted to relay the request. Your plan sounds perfectly good, thanks!
Comment 3 Alan Coopersmith 2011-02-19 22:42:06 UTC
Will be fixed by this pair of patches submitted to xorg-devel for review:

Those who want a moving cursor after these patches can simply set:
xlogin*echoPasswd: true

in their Xresources to have a space for the echoed character.
Comment 4 Alan Coopersmith 2011-03-03 19:28:28 UTC
Revised fix pushed to git master:

Now default is no response, previous behavior can be restored by:
xlogin*echoPasswd: true

(i.e. a blank echo character)
Comment 5 Ferenc Wágner 2011-03-04 03:56:07 UTC
Thanks for this feature!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.