[Breeze] [Bug 374074] New: Lock Screen: "Show Password" - lockscreen vulnerable to social engineering

Elias Probst bugzilla_noreply at kde.org
Fri Dec 23 10:39:21 UTC 2016


https://bugs.kde.org/show_bug.cgi?id=374074

            Bug ID: 374074
           Summary: Lock Screen: "Show Password" - lockscreen vulnerable
                    to social engineering
           Product: Breeze
           Version: unspecified
          Platform: Gentoo Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: NOR
         Component: general
          Assignee: plasma-devel at kde.org
          Reporter: mail at eliasprobst.eu
  Target Milestone: ---

The recently introduced feature to show the entered password on the lockscreen
makes it vulnerable to social engineering and endangers the whole security of
the current user.

If someone enters his (partial) password but for some reason doesn't
immediately pushes <RETURN> before leaving his workplace unattended, anyone
else walking by could reveal the user's (partial) password.
This is basically leaving the password in plain text on a post-it on the desk.

The password field should be cleared:

- after X seconds of inactivity
- when switching to another VT
- when suspending/resuming

Besides that, it might make sense to introduce a (Kiosk-controllable) option to
disable the "Show password" functionality in the lockscreen.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Plasma-devel mailing list