Linux Mint

login sometimes asks for user id - risky

Bug #1388321 reported by Russell Gadd
272
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Linux Mint
New
Undecided
Unassigned

Bug Description

Most of the time the login knows my user id and just asks for the password in the box. Occasionally it asks for the user id first in the same box without it being super obvious to a busy person. So I type my password looking at the keyboard and this is echoed on the screen. Anyone looking at my screen can see my password. This is a security risk.

Login should be consistent and not randomly ask for user id - either do it always or never.

Linux Mint 17 Qiana Mate 64 bit

Don't know enough about the system to tell if it's a desktop related issue.

Russell Gadd (rustleg)
information type: Private Security → Public Security
Revision history for this message
ALinuxUser (buntulongername-new) wrote :

I agree with everything the original reporter said (except that I have the impression that there is some consistency in when the problem occurs - the prompting for username rather than password has a pattern to it, I think). Since this is indeed a security problem, it does need fixing fairly urgently.

Revision history for this message
Jimb0 Hon1nbo (jimb0-hon1nbo) wrote :

This is a dupe of this: https://bugs.launchpad.net/linuxmint/+bug/1473708

It has been a common complaint and issue for years and spanning several versions. No one seems to ever get assigned to fix it.

This is a design issue, not as software bug. if the user presses enter, types the wrong password, etc then the system reverts to asking for the username instead of having the username pre-filled.
Having a single box like this is a UI design flaw and as a security consultant I immediately try to access auth logs when I see mint as a desktop or OS in use due to this design, and it has been successful in the field to recover passwords.

Makes encrypted home partitions worthless, and grants easy access without having to change a user's password outside of the running system nor crack hashes.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.