Bug 21272

Summary: Login password is shown in plaintext
Product: IO/Storage Reporter: sworddragon2
Component: OtherAssignee: io_other
Status: CLOSED INVALID    
Severity: normal CC: alan, Firestone
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.36-1 ubuntu x86_64 Subsystem:
Regression: No Bisected commit-id:

Description sworddragon2 2010-10-27 15:59:10 UTC 
Just an example: I start Ubuntu and want to log into the terminal in tty1. The first input prompt is "ubuntu login: ". If I enter my login name the first time my hard disk is loading something. This gives me enough time to enter enter my passwort before the "Password: " prompt appears. The output is something like this (example password is 1234):

ubuntu login: sworddragon
12Password: 

There should be an input lock after the login name is entered until it is secured that the password will be hidden.
Comment 1 Firestone 2010-11-05 11:07:36 UTC 
I use laptop-mode on my laptop, which spins down the hd after so many minutes of inactivity. When I need to enter the password when this is the case, i.e. login or su, it reproduces the password echoing issue discussed here.

After a few months of witnessing this, I have noticed that the initial command lets the hd spin up again, e.g. su, and that the moment between entering the echoless password and being able to safely enter it is equal to the spin up delay. When not using laptop-mode, this issue does not occur.

The problem is not a bug of laptop-mode, as I read reports that it seems to occur with heavy load too. We therefore need a change in the way functions that require passwords are processed, e.g. some sort of symbol that prevents input echo on that terminal until the security kicks in.

Note that this does not seem to be related to a certain kernel version, as I am on a rolling release(Arch). 
For completeness: 

Linux Host 2.6.35-ARCH #1 SMP PREEMPT i686 Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz GenuineIntel GNU/Linux
Comment 2 Alan 2012-05-12 00:01:00 UTC 
Login/password is not a kernel bug but a userspace one in your distro

Closing old forgotten bug therefore