[Breeze] [Bug 374074] New: Lock Screen: "Show Password" - lockscreen vulnerable to social engineering
Elias Probst
bugzilla_noreply at kde.org
Fri Dec 23 10:39:21 UTC 2016
https://bugs.kde.org/show_bug.cgi?id=374074
Bug ID: 374074
Summary: Lock Screen: "Show Password" - lockscreen vulnerable
to social engineering
Product: Breeze
Version: unspecified
Platform: Gentoo Packages
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: general
Assignee: plasma-devel at kde.org
Reporter: mail at eliasprobst.eu
Target Milestone: ---
The recently introduced feature to show the entered password on the lockscreen
makes it vulnerable to social engineering and endangers the whole security of
the current user.
If someone enters his (partial) password but for some reason doesn't
immediately pushes <RETURN> before leaving his workplace unattended, anyone
else walking by could reveal the user's (partial) password.
This is basically leaving the password in plain text on a post-it on the desk.
The password field should be cleared:
- after X seconds of inactivity
- when switching to another VT
- when suspending/resuming
Besides that, it might make sense to introduce a (Kiosk-controllable) option to
disable the "Show password" functionality in the lockscreen.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Plasma-devel
mailing list