This is a very bad thing.

It could arise in several ways:

  1. You've missed the password prompt, and typed it into some other part of the screen. This can happen on slow unix boxes when you type your username, then begin to enter your password before you're asked for it. The screen then displays:

    digestive login: spiregrain
    zocalPassword:
    Or maybe on a windows box with a sticky tab key, resulting in your entering a password and username all in one box.

  • A stupid program requires you to enter your password, without replacing it by **** or whatever. Early versions of microsoft internet explorer do this when you access a non-anonymous FTP site.

  • An apparently sensible program lets you enter your password, replaces it with **** or whatever, then displays it clearly somewhere else later on. Newer versions of microsoft internet explorer do this if you open a word document from an FTP site.

  • A website with user accounts emails it to you. This isn't so bad, since it doesn't really feel like your password yet.

  • You run a program that takes a while to load up, grabs the input focus, then displays a text console, say matlab. While that's loading, you fire up telnet and enter your login. As you enter your password, Matlab starts and your password appears in its window. Doh! There is a way round this under certain circumstances, see mib's writeup below.

    News! Gnome 2.10 implements a new freedesktop.org standard which just prevents this from happening! I guess KDE either does this now, or will do soon. (jrn reports that Mac OS X does something similar, but suspects it's not under the auspices of freedesktop.org.)

  • You set up the CatBoxer in #catbox to forward messages into the Chatterbox. This requires you to send your e2 password as an irc /msg.

  • Another way is described in "Choose a password with only X's in it".- thanks for pointing this out go to jrn, and thanks for writing it go to ariels.

    Your reactions to any of these events may differ from mine, which are:

    1. Stare at it for a while wondering what it is and why it seems familiar. This is because although I know how to spell my passwords, I don't often see them, so they look odd. And then I feel odd.

    2. Frantically press backspace, type login and type "clear", hide the window, switch off the screen, acording to context and how many nosey people are in the room, or looking over my shoulder.

  • Oooh. I've been there, done that. That really hurts. I had just moved up to admin a few weeks before, and I was training one of the techs to do my previous job of tech supervisor. We were sitting there in my 10x10' cell, (they call it an office; I call it a small prison near the server racks), and I was about to add him to sudo for the mailserver, so he could fix a few things if they happened (damaged mail, add aliases, etc). I ssh into the server, still talking to him about something, and not really paying attention, and type `su`. I'm going a mile a minute and totally miss the 1/4 second delay between typing `su` and typing in my pass - and the root pass is displayed right there.. AAagh. The load on the machine was pretty high, because as is often the case, management fails to listen to the network guys when it comes to spending money. We needed a new box so we could balance the mail load, but they didn't want to spend more money at the time.. so there was sometimes a bit of lag on the system.

    jamyn@sys48$ssh jamyn@mail
    jamyn@mail's password:
    Last login: Mon Apr 4 17:11:32 1999 from sys48
    Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
    The Regents of the University of California. All rights reserved.
    FreeBSD 4.0-RELEASE (KERN/QM-BSD4)

    jamyn@mail jamyn su
    WtfwytysfYchtPassword:
    Sorry
    jamyn@mail jamyn logout


    What a heartbreaker. I heard a slight "heh" behind me, and knew the tech was trying furiously to memorize the password, even as I was slamming Control-D as fast as I could, to logout and clear the screen. It took all of 1/2 a sec for me to realize the mistake and the screen was cleared, but it doesn't matter though.. I couldn't keep that pass anymore of course. "What the fsck were you thinking you stupid fsck, you cant have this" ; "WtfwytysfYcht". I told the employee to go back to the tech room, I had some stuff I needed to do and would meet with him in 15 minutes. I then chose a new root pass for the mailserver, and emailed it to the rest of the NOC staff.

    Heh. You're thinking, 'you did what?! you EMAILED a root pass?!' .. well yea, I dont feel so bad about it; you see - all NOC mail is PGP encrypted with a 4096 bit key. Not just some messages -- all messages to NOC. That includes system email's from any box (using PGP wrappers for sendmail), etc etc. The core NOC staff keep the private key, and use it to decrypt the messages; it works out pretty nicely. Ah well, live and learn. =)
    I once used Novell's digitalme to enter in web forms. It conveniently stores the passwords for you on its servers, and all communication between you and them is encrypted, but imagine my surprise when I went to the entry for the form I filled out and there was my password there in visible plaintext.

    The weird thing is, if you have a good password and are not writing it down, you shouldn't immediately recognize it when you see it in print--because you never have, and also because it should look like line noise. If it doesn't take you a second, then your password sucks anyway, and it hardly matters if people see it or not.

    This happened to me three days ago, in the worst of possible circumstances.

    At the University at Buffalo, there is a single password (one pass to rule them all, as I call it) which:

    • Signs onto the Resnet.
    • Checks our email.
    • Posts Usenet messages.
    • Logs into the timeshares, except those for specific departments.
    • Checks our grades.
    • Registers us for, and drops us from, classes.
    • Probably some other functions I don't recall offhand.

    Losing this pass would be far worse for me than losing the root pass on my Linux side, which someone would almost have to get to my machine to use.

    I check my email using Netscape. When I go to check it, it takes a minute before the server asks for a password and NS opens a window to prompt for the One Pass. So I saw that window pop up, and my fingers started typing while my eyes saw one of my E2 friends' AIM window pop up. And then The Inevitable happened.

    clearpebbles: Hi.
    Pakaran2: b4rkhawd!

    I tried to keep up a conversation, while waiting one eternity for the UB page to load and take me to the remote "change pass" page, another eternity for it to confirm my old pass and process the change, and a third one for the 1 hour it takes for the change to propogate across all the systems. All while being casual on AIM, like the pass was nothing more than some sort of network static.

    Not as bad a situation as that faced by jamyn, to be sure, but still pretty damned frightening!

    clearpebbles, if you're reading this, I'm sorry - I don't doubt you're a wonderful person for a minute. However, I'm damned paranoid. As in, damned if I am, damned if I'm not. And I'd prefer the former, since it's less absolutely damning. I knew that you were presently on the net, and knew my real email address, and thus the username and host you might try to log into. I just had to hope that if you, or someone looking over your shoulder, was a cracker, they wouldn't recognize the pass as such.

    If anyone cares, since that pass is now permanently retired, it was "b4rkhawd!", a corruption of "bark hound". Ironically, I am a cat person.

    What would people think if they saw your password? Well, I used to write my passwords in such a way that if anyone saw it, it would be at least mildly amusing. I ran out of phoenetic passwords that would do the trick eventually, so I go with speedy ones that are hard to mistype (lots of things on one hand, etc).

    So here I am, sitting in the lounge with some girl freshman year (I forget who right now), and I am checking my email quickly on a slow, laggy VT420 terminal. I am basking in the orange glow of the monitor, by fingers deftly tapping on the keys when the inevitable happens.

    reno login: jbonci
    masturB8password:

    She saw my password, masturB8 (this was forty or so passwords ago, so don't bother). I didn't notice it at first, until she burst out laughing.

    "What?!?", I asked, wondering what was funny.
    "Masturbate!", she chuckled, "Your password is masturbate."

    I whipped my head around to see it there on the screen, not having cleared yet. The embarassment faded faster than I had expected, as she took it better than I thought. I had to explain my humorous password policy to her at that point, and quite a lively conversation ensued.

    Boy, now THAT was an icebreaker

    I was on the receiving end of one of these experiences while I was in high school, in a rather unique way.

    As I am blind I need to use a screen reader to know what's on the screen. Up until very recently, screen readers could not thell the difference between a standard edit box and a password edit box. This ment that even if the text in a password edit box was replaced with *s or something similar, the actual characters would still get read through the screen reader as you typed them in.

    About two years ago, I was setting up a computer for another blind student at another school. Their system administrator was rather paranoid, and as a result was running Foolproof on all the computers. Rather then just telling me the Foolproof password, he had to come down everytime I needed it and type it in. And each time he typed it, it got echoed through the screen reader. Fortunately, I was wearing headphones so it didn't get yelled out to the whole room, but I heard it several times. Unfortunately, the password was digital, so it probably would have been cracked soon anyway.

    With regards to spiregrain's fifth point, that a slow program suddenly appears and grabs the keyboard focus, there IS a remedy, if you want to type passwords into xterms. Just select secure keyboard; most xterms (and clones) support this. This will cause the xterm in question to hold the keyboard focus no matter what.

    I get caught on this in two ways all the time. First is when I go to check my webmail, start typing my name/password before the page is done loading, and then the browser (annoyingly) changes the focus back to the first textbox when it finished loading, showing at least part of my password if I'm not careful. Then I'm left with something like

    Login: ivarnelissword
    Password: **

    This happens to me all the time in both Internet Explorer and Mozilla, and it's gotten worse going from broadband back to a dial-up connection. The other way is when I'm using Internet Explorer for ftp. It'll let you login to an ftp server by typing a url like: ftp://ivarneli:password@ftp.server.com. Of course, then you're typing your password in plain view, so to be tricky, you just type in ftp://ivarneli@ftp.server.com and a dialog box comes up asking you for your password (and hiding it when you type it). But what happens when you press OK? You look at the URL box at the top of the window and see your password right there! It gets even better... IE saves it in the history, so the next person to use that computer can easily see your password and log in to your ftp server if you're not careful and clear the history.

    Warning: xterm-related technical information follows.

    If you are using X and the xterm terminal emulator, you can use the "secure keyboard" option to temporarily ensure all keyboard input is sent only to the xterm. This not only stops unexpected pop-ups from getting your password accidentally, but also foils any trojan programs that might be snooping on you.

    Usually this is set up on the "Main Options" menu, accessed by holding control and pressing and holding the left mouse button, inside the xterm window. The "secure" function is a toggle. It will reverse the video when it has successfully activated — if this does not happen then you are not secure!

    A really handy tip is to bind this to a button on your keyboard you don't normally use in an xterm (e.g., F12). Then, hit that key every time before you type a password, and then whack it again when you've finished typing it.

    To set this up, you need to add the following X resource setting. Normally you can just put this in your ~/.Xresources or equivalent file, or you can load it by hand with xrdb -merge:

    xterm*VT100.Translations: #override F12: secure()
    

    The list of keys you can use and their names can be found in /usr/include/X11/keysymdef.h, just strip off the XK_ part of the name.

    Note: will only take effect on new xterms started after you load the resource setting.

    Log in or registerto write something here or to contact authors.