Perhaps can tell me if this seems plausible. I was using the snaphot from February 4.
I've added several users, over several days, using the exact same script (I wrote), with the only input being the username on the command line. The script also generates a random encrypted password -- which I can see by looking at master.passwd. And all the user accounts seemed to work (until the system became unresponsive). Recently I saw that the last user to be created this way has no password! My best guess is an un-updated chromium parsed a compromised web page, that ... removed the password. passwd(1) requires the current password if the user calling it is not the superuser. It seems like pledge ought to be an obstacle. The compromised user was not logged in (to my knowledge) by the time I gave up and shut down the computer. I always kill all processes associated with these accounts when I log out. The password generator takes printable characters from /dev/random, adding more as needed. On Fri, Feb 20, 2026, 5:49 AM Samuel <[email protected]> wrote: > I've added several users, over several days, using the exact same script, > with the only input being the username on the command line. The script > also generates a random encrypted password, which I can confirm by looking > at master.passwd. And all the user accounts seemed to work (until the > system became unresponsive). > > Recently I saw that the last user to be created this way has no password! > My best guess is an un-updated chromium parsed a compromised web page, that > ... removed the password (was running a snapshot, not stable). > > Does that seem plausible? > > (The compromised user was not logged in (to my knowledge) when I gave up > and shut down the computer.) >
