Installer displays encrypted partition password entry in cleartext

  • Done
  • quality assurance status badge
Details
5 participants
  • Danny Milosavljevic
  • Julien Lepiller
  • Ludovic Courtès
  • Mathieu Othacehe
  • pelzflorian (Florian Pelz)
Owner
unassigned
Submitted by
pelzflorian (Florian Pelz)
Severity
normal
P
P
pelzflorian (Florian Pelz) wrote on 3 May 2019 10:54
(address . bug-guix@gnu.org)
20190503085437.opsw5whdkzmwrbrm@pelzflorian.localdomain
When creating an encrypted partition in Manual partitioning (maybe
also Guided?) in the Newt installer, it asks for a password with which
to encrypt the partition. However only the password confirmation
password entry diplays ******* instead of the typed password, the
password entry before displays the password in cleartext.
D
D
Danny Milosavljevic wrote on 3 May 2019 11:30
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35540@debbugs.gnu.org)
20190503113018.5be80808@scratchpost.org
Hi,

On Fri, 3 May 2019 10:54:37 +0200
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:

Toggle quote (6 lines)
> When creating an encrypted partition in Manual partitioning (maybe
> also Guided?) in the Newt installer, it asks for a password with which
> to encrypt the partition. However only the password confirmation
> password entry diplays ******* instead of the typed password, the
> password entry before displays the password in cleartext.

Yes. What about it is a bug? It would be very bad if you had a typo
in the partition encryption password, so it's good that it's visible.

If you want, we can make the password visible in both boxes.
But we shouldn't make it invisible in both boxes.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlzMCioACgkQ5xo1VCww
uqWL2AgAj9aAEKsH03pKBAjguHsdDpHQOffrqzC6S2uBwVNtZ+SIZh4lBvWS7zfX
A9W68nZzMeSZiYmH/sYk6iq68MaZNBydAWFspX1qpzsyCs0ENiTa2WVpbLEqV7kr
kb1V1XV3iotOvfhO/mv+soQ3sxFtLlP0Ewc5B5TkEoCDV2UubKihRbvEeqGKD3+4
1GRc0dONYrQKW1ZvoV7INz/ZvQhd9eKw1ulljcVxDUknAunUbOnxq9b9lQPDUj5k
CNC2rLvBcVqK6JaKEFmsTp2hnWdkT6CQD7pmHMFkVkrw4/R/4rXnbOFWAg3UzfX9
U0qv8S6W1IT32bbbNh34o3vzP1y9eg==
=WUYM
-----END PGP SIGNATURE-----


J
J
Julien Lepiller wrote on 3 May 2019 11:50
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)
20190503115024.20787d13@sybil.lepiller.eu
Le Fri, 3 May 2019 11:30:18 +0200,
Danny Milosavljevic <dannym@scratchpost.org> a écrit :

Toggle quote (18 lines)
> Hi,
>
> On Fri, 3 May 2019 10:54:37 +0200
> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
>
> > When creating an encrypted partition in Manual partitioning (maybe
> > also Guided?) in the Newt installer, it asks for a password with
> > which to encrypt the partition. However only the password
> > confirmation password entry diplays ******* instead of the typed
> > password, the password entry before displays the password in
> > cleartext.
>
> Yes. What about it is a bug? It would be very bad if you had a typo
> in the partition encryption password, so it's good that it's visible.
>
> If you want, we can make the password visible in both boxes.
> But we shouldn't make it invisible in both boxes.

The role of the confirmation is to make sure you didn't make a typo
somewhere. If it's visible from the start, you know you didn't make a
typo, so the confirmation is useless, no?

On android when you enter a wifi password for instance, it's invisible
when you type it (replace by *) by there is a small button on the side
of the text entry to allow you to see it in plaintext to check that you
didn't make a mistake. Could we implement that instead? There won't be
a need for a confirmation either in that case.
L
L
Ludovic Courtès wrote on 3 May 2019 12:07
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35540@debbugs.gnu.org)
87muk3etqi.fsf@gnu.org
Hi,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Toggle quote (6 lines)
> When creating an encrypted partition in Manual partitioning (maybe
> also Guided?) in the Newt installer, it asks for a password with which
> to encrypt the partition. However only the password confirmation
> password entry diplays ******* instead of the typed password, the
> password entry before displays the password in cleartext.

This is done on purpose as I wrote in commit
453c976501bb4d5c4c6b832b7c0c1ec3d493b80f:

;; Note: Don't use FLAG-PASSWORD here because this is the
;; first bit of text that the user types in, so it's
;; probably safer if they can see that the keyboard layout
;; they chose is in effect.

I’m not entirely sure this is the right thing to do, but I thought that
as a user I’d want to make sure I really typed what I thought I typed.

WDYT?

Ludo’.
L
L
Ludovic Courtès wrote on 3 May 2019 15:50
(name . Julien Lepiller)(address . julien@lepiller.eu)
87tvebbq9v.fsf@gnu.org
Julien Lepiller <julien@lepiller.eu> skribis:

Toggle quote (24 lines)
> Le Fri, 3 May 2019 11:30:18 +0200,
> Danny Milosavljevic <dannym@scratchpost.org> a écrit :
>
>> Hi,
>>
>> On Fri, 3 May 2019 10:54:37 +0200
>> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
>>
>> > When creating an encrypted partition in Manual partitioning (maybe
>> > also Guided?) in the Newt installer, it asks for a password with
>> > which to encrypt the partition. However only the password
>> > confirmation password entry diplays ******* instead of the typed
>> > password, the password entry before displays the password in
>> > cleartext.
>>
>> Yes. What about it is a bug? It would be very bad if you had a typo
>> in the partition encryption password, so it's good that it's visible.
>>
>> If you want, we can make the password visible in both boxes.
>> But we shouldn't make it invisible in both boxes.
>
> The role of the confirmation is to make sure you didn't make a typo
> somewhere.

But that’s a different thing. Suppose you type a passphrase assuming
you have a Dvorak keyboard but it’s actually QWERTY. You’ll get the
confirmation right.

Then when you boot, if for some reason you get the wrong keyboard
layout, you’re screwed.

That’s why I think that seeing what you actually type is useful.

Other options include:

1. Hiding the passphrase, but display right above it something like:

Keyboard layout: <layout name>

2. Adding a checkbox to toggle password visibility.

#1 is probably not great because it doesn’t help if you don’t know
precisely the layout.

#2 would be nice; not sure how to do it, though.

Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 4 May 2019 23:06
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190504210632.i3tyhzisfw6anpyb@pelzflorian.localdomain
On Fri, May 03, 2019 at 03:50:52PM +0200, Ludovic Courtès wrote:
Toggle quote (3 lines)
> That’s why I think that seeing what you actually type is useful.
>

Seeing the password is useful, unless someone is shoulder surfing
while you install, which is possible.


Toggle quote (16 lines)
> Other options include:
>
> 1. Hiding the passphrase, but display right above it something like:
>
> Keyboard layout: <layout name>
>
> 2. Adding a checkbox to toggle password visibility.
>
> #1 is probably not great because it doesn’t help if you don’t know
> precisely the layout.
>
> #2 would be nice; not sure how to do it, though.
>
> Ludo’.
>

#2 would please everybody, but I do not know what widgets Newt
provides for this. Mathieu, would you know if changing the
visibility with e.g. a checkbox is doable?

Regards,
Florian
M
M
Mathieu Othacehe wrote on 5 May 2019 13:04
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
877eb5duxo.fsf@gmail.com
Hello,

Toggle quote (4 lines)
> #2 would please everybody, but I do not know what widgets Newt
> provides for this. Mathieu, would you know if changing the
> visibility with e.g. a checkbox is doable?

You'll find a patch attached that adds a checkbox to toggle password
hiding. Every password input now has such a checkbox, WDYT?

Thanks,

Mathieu
Attachment: 0001-installer-Add-password-hide-checkbox.patch
P
P
pelzflorian (Florian Pelz) wrote on 5 May 2019 16:36
(name . Mathieu Othacehe)(address . m.othacehe@gmail.com)
20190505143657.sc7lu67zbn6hu3bx@pelzflorian.localdomain
On Sun, May 05, 2019 at 01:04:03PM +0200, Mathieu Othacehe wrote:
Toggle quote (15 lines)
>
> Hello,
>
> > #2 would please everybody, but I do not know what widgets Newt
> > provides for this. Mathieu, would you know if changing the
> > visibility with e.g. a checkbox is doable?
>
> You'll find a patch attached that adds a checkbox to toggle password
> hiding. Every password input now has such a checkbox, WDYT?
>
> Thanks,
>
> Mathieu


This looks great and appears to work fine (I did not finish the
installation due to the wpa-supplicant bug). “Hide” of course has no
translations yet.

Regards,
Florian
L
L
Ludovic Courtès wrote on 6 May 2019 12:02
(name . Mathieu Othacehe)(address . m.othacehe@gmail.com)
87sgtrkijb.fsf@gnu.org
Hello,

Mathieu Othacehe <m.othacehe@gmail.com> skribis:

Toggle quote (7 lines)
>> #2 would please everybody, but I do not know what widgets Newt
>> provides for this. Mathieu, would you know if changing the
>> visibility with e.g. a checkbox is doable?
>
> You'll find a patch attached that adds a checkbox to toggle password
> hiding. Every password input now has such a checkbox, WDYT?

It looks great!

I would perhaps add that checkbox only for the passphrase, in part
because when I test an install I prefer to have fewer keystrokes :-),
but also because this might clutter dialog boxes and cause troubles:
what if the translation of “Hide” is takes up more space? is it still
going to fit?

WDYT?

Thank you!

Ludo’.
M
M
Mathieu Othacehe wrote on 6 May 2019 14:15
(name . Ludovic Courtès)(address . ludo@gnu.org)
874l67kcdx.fsf@gmail.com
Hey Ludo,

Toggle quote (3 lines)
> I would perhaps add that checkbox only for the passphrase, in part
> because when I test an install I prefer to have fewer keystrokes :-),

The parameter is disabled by default and enabled only for disk
encryption and root/user passwords so I'm not sure I get what you mean.

Toggle quote (4 lines)
> but also because this might clutter dialog boxes and cause troubles:
> what if the translation of “Hide” is takes up more space? is it still
> going to fit?

Hard to say :p, the checkbox is added to widget grids which should adapt
to terminal size. So unless the translation is really long and the
screen really small, I hope it fits!

Mathieu
L
L
Ludovic Courtès wrote on 6 May 2019 15:41
(name . Mathieu Othacehe)(address . m.othacehe@gmail.com)
87tve7hf9l.fsf@gnu.org
Mathieu Othacehe <m.othacehe@gmail.com> skribis:

Toggle quote (6 lines)
>> I would perhaps add that checkbox only for the passphrase, in part
>> because when I test an install I prefer to have fewer keystrokes :-),
>
> The parameter is disabled by default and enabled only for disk
> encryption and root/user passwords so I'm not sure I get what you mean.

I mean that when I do a test install, I essentially hit RET RET RET RET,
and sometimes TAB ludo foo, and this change adds an additional TAB into
the mix; but nevermind, my muscle memory will get used to it. :-)

Toggle quote (8 lines)
>> but also because this might clutter dialog boxes and cause troubles:
>> what if the translation of “Hide” is takes up more space? is it still
>> going to fit?
>
> Hard to say :p, the checkbox is added to widget grids which should adapt
> to terminal size. So unless the translation is really long and the
> screen really small, I hope it fits!

Isn’t the grid constrained by the side of the outer box? Perhaps we
should enlarge that outer box a bit?

Anyway, I think you can push, it’s already a great improvement IMO.

Thanks,
Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 6 May 2019 20:14
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190506181446.qsakunri5ewvanph@pelzflorian.localdomain
Sorry for being late to the feedback party.

On Mon, May 06, 2019 at 12:02:16PM +0200, Ludovic Courtès wrote:
Toggle quote (2 lines)
> I would perhaps add that checkbox only for the passphrase, in part

I disagree, people would expect it (and file bugs) for other passwords
for the same reasons (other people watching while you install Guix
vs. wanting to visually confirm you have not mistyped etc.)


Toggle quote (6 lines)
> because when I test an install I prefer to have fewer keystrokes :-),
> but also because this might clutter dialog boxes and cause troubles:
> what if the translation of “Hide” is takes up more space? is it still
> going to fit?
>

German “Verbergen” is somewhat longer than “Hide”; I tried translating
it locally and it still fits perfectly on my low res AMD GPU screen.

When creating a user account, the translation for Home Directory
(“Persönliches Verzeichnis”) gets cut off to “Persönliches Verzeic”,
but I believe this is not important.

Regards,
Florian
P
P
pelzflorian (Florian Pelz) wrote on 6 May 2019 21:29
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190506192935.agzovjt2uwktoqys@pelzflorian.localdomain
On Mon, May 06, 2019 at 08:14:46PM +0200, pelzflorian (Florian Pelz) wrote:
Toggle quote (5 lines)
> When creating a user account, the translation for Home Directory
> (“Persönliches Verzeichnis”) gets cut off to “Persönliches Verzeic”,
> but I believe this is not important.
>

This cut-off happens even on higher resolution screens. Hmm well it
would be nicer if the space for the Home Directory were 4 letters
wider, but it is not all that important.

Regards,
Florian
L
L
Ludovic Courtès wrote on 6 May 2019 21:43
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
87zhnzfjwk.fsf@gnu.org
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Toggle quote (10 lines)
> On Mon, May 06, 2019 at 08:14:46PM +0200, pelzflorian (Florian Pelz) wrote:
>> When creating a user account, the translation for Home Directory
>> (“Persönliches Verzeichnis”) gets cut off to “Persönliches Verzeic”,
>> but I believe this is not important.
>>
>
> This cut-off happens even on higher resolution screens. Hmm well it
> would be nicer if the space for the Home Directory were 4 letters
> wider, but it is not all that important.

I agree. I’ll commit the patch below, which works fine for German (at
least before the “Hide” checkbox patch).

Thanks,
Ludo’.
Toggle diff (22 lines)
diff --git a/gnu/installer/newt/user.scm b/gnu/installer/newt/user.scm
index deab056e0c..ac07d26c8b 100644
--- a/gnu/installer/newt/user.scm
+++ b/gnu/installer/newt/user.scm
@@ -34,7 +34,7 @@
"Run a form to enter the user name, home directory, and password. Use NAME,
REAL-NAME, and HOME-DIRECTORY as the initial values in the form."
(define (pad-label label)
- (string-pad-right label 20))
+ (string-pad-right label 25))
(let* ((label-name
(make-label -1 -1 (pad-label (G_ "Name"))))
@@ -44,7 +44,7 @@ REAL-NAME, and HOME-DIRECTORY as the initial values in the form."
(make-label -1 -1 (pad-label (G_ "Home directory"))))
(label-password
(make-label -1 -1 (pad-label (G_ "Password"))))
- (entry-width 30)
+ (entry-width 35)
(entry-name (make-entry -1 -1 entry-width
#:initial-value name))
(entry-real-name (make-entry -1 -1 entry-width
L
L
Ludovic Courtès wrote on 6 May 2019 21:45
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
87v9ynfjuf.fsf@gnu.org
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Toggle quote (7 lines)
> On Mon, May 06, 2019 at 12:02:16PM +0200, Ludovic Courtès wrote:
>> I would perhaps add that checkbox only for the passphrase, in part
>
> I disagree, people would expect it (and file bugs) for other passwords
> for the same reasons (other people watching while you install Guix
> vs. wanting to visually confirm you have not mistyped etc.)

Yeah OK, that makes sense to me.

Toggle quote (9 lines)
>> because when I test an install I prefer to have fewer keystrokes :-),
>> but also because this might clutter dialog boxes and cause troubles:
>> what if the translation of “Hide” is takes up more space? is it still
>> going to fit?
>>
>
> German “Verbergen” is somewhat longer than “Hide”; I tried translating
> it locally and it still fits perfectly on my low res AMD GPU screen.

Perfect.

So I guess you can go ahead and push, Mathieu!

Thank you,
Ludo’.
M
M
Mathieu Othacehe wrote on 7 May 2019 09:27
8736lqk9m8.fsf@gmail.com
Hey,

Toggle quote (2 lines)
> So I guess you can go ahead and push, Mathieu!

Pushed as 445bd4d5e5, thanks to both of you for reviewing it :)

Mathieu
P
P
pelzflorian (Florian Pelz) wrote on 7 May 2019 10:13
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190507081340.qa25xrc7pngxsxkt@pelzflorian.localdomain
On Mon, May 06, 2019 at 09:43:55PM +0200, Ludovic Courtès wrote:
Toggle quote (8 lines)
>> I agree. I’ll commit the patch below, which works fine for German (at
> least before the “Hide” checkbox patch).
>
> Thanks,
> Ludo’.
>


Fits perfectly. Thank you all of you!

Regards,
Florian
L
L
Ludovic Courtès wrote on 8 May 2019 21:21
control message for bug #35540
(address . control@debbugs.gnu.org)
87woj0vjkm.fsf@gnu.org
tags 35540 fixed
close 35540
?