I've seen several users be affected by this (me included). It's particularly common for users to just expect to enter their password because that's what they normally do, while for some unknown reason the greeter is asking for the username instead (the enumerated vs general case above).
This is a security issue, not only because other people watching the screen might see the password being typed, but also because the failed username is logged to syslog in cleartext. Please make it much more clearer when asking username vs password. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity-greeter in Ubuntu. https://bugs.launchpad.net/bugs/1057437 Title: login UI is prone to exposing password Status in Ayatana Design: New Status in “unity-greeter” package in Ubuntu: Confirmed Bug description: The Unity login screen employs a single field that is used for both login name and password entry. It's fairly easy to get confused as to the current mode and enter your password when login name is expected, thereby exposing your password to onlookers. Here are some scenarios leading to this confusion: * password re-entry (for general login) -- upon unsuccessful password attempt, the user might assume that only password is being reprompted, when actually the login name must be entered again. * enumerated vs. general login -- the user may typically use his enumerated login (where username selected and only password is typed) and fail to notice that general login has been selected (perhaps by another person tampering with the login screen). He'll type his password when login name is expected. For security reasons the login UI needs to be very explicit about what fields are used for password. Textual indicators (e.g. grayed "Password" placeholder in field) don't seem to be a distinctive enough cue-- my guess is people don't pay attention to login screen text beyond their first encounter. A spacial separation is warranted. Using a single, modal field for both login and password appears especially error prone. To manage notifications about this bug go to: https://bugs.launchpad.net/ayatana-design/+bug/1057437/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
