https://bugs.kde.org/show_bug.cgi?id=387418
Bug ID: 387418
Summary: Password field allows recovery and unmasking of
deleted password attempt
Product: kscreenlocker
Version: 5.10.3
Platform: Debian testing
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: ge...@derpymail.org
CC: bhus...@gmail.com, mgraess...@kde.org
Target Milestone: ---
I am using:
KDE Plasma Version 5.10.5
KDE Frameworks Version 5.37.0
Qt Version: 5.9.1
When the screen is locked and unsuccessful attempts are made at unlocking with
a password, the masking dots can be unmasked to the clear attempt text by
clicking the eye button in the right corner of the password field. If the user
then deletes the password attempt (and leaves their computer), an attacker is
able to restore the deleted password attempt by pressing Ctrl+Z when the focus
is on the password field. The restored dots can then be unmasked by pressing
the eye button again.
The field history is not conserved (and can't be reversed) when the system is
successfully unlocked and re-locked. However, I sometimes find myself
distracted and leaving my workplace when unsuccessful in entering my password.
An attacker could recover this attempt that will be almost the correct system
password, and could try to trace and correct my typo.
It would make sense to deactivate entry history (being able to traverse inputs
with Ctrl+Z and Ctrl+Y) for the password field on the lockscreen. I would like
to have the option to deactivate the unmasking "eye button" functionality with
the other screen locking options.
--
You are receiving this mail because:
You are watching all bug changes.
