https://bugs.kde.org/show_bug.cgi?id=374074
Bug ID: 374074
Summary: Lock Screen: "Show Password" - lockscreen vulnerable
to social engineering
Product: Breeze
Version: unspecified
Platform: Gentoo Packages
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: general
Assignee: plasma-devel@kde.org
Reporter: m...@eliasprobst.eu
Target Milestone: ---
The recently introduced feature to show the entered password on the lockscreen
makes it vulnerable to social engineering and endangers the whole security of
the current user.
If someone enters his (partial) password but for some reason doesn't
immediately pushes <RETURN> before leaving his workplace unattended, anyone
else walking by could reveal the user's (partial) password.
This is basically leaving the password in plain text on a post-it on the desk.
The password field should be cleared:
- after X seconds of inactivity
- when switching to another VT
- when suspending/resuming
Besides that, it might make sense to introduce a (Kiosk-controllable) option to
disable the "Show password" functionality in the lockscreen.
--
You are receiving this mail because:
You are the assignee for the bug.
