| 2019-04-23 17:14:20 |
Tom Reynolds |
description |
During the past days, questions about Secure Boot initialization repeated on IRC.
This is what this screen looks like on 16.04 (I don't have an 18.04 or 19.04 screen available, but the users' questions seem to suggest it still looks similar):
https://i.stack.imgur.com/cCTiK.png
Two questions were asked primarily:
* Is this the same password I need to (enter BIOS / login to Ubuntu)?
* Do I need to remember this password?
While there is a "Learn more..." link there which probably leads to more information about how the password is used (unfortunately I do not know what this brings up), I believe this screen creates a serious issue for those users who decide to initialize Secure Boot by setting a password. Many will not keep the passphrase they enter there, will try to remember it but forget it since (except for the next boot) they are not prompted to enter it again until they forget.
In my opinion, this screen should at least say something like "this password is saved into your firmware and you must store it in a secure place where you will find it in years from now". You may want to go as far as recommending to print or write it on a paper and store that securely.
Years ago, few wanted to use Secure Boot, but things are changing and not ensuring that users know what password they wrote to their Firmware equates to breaking part of its functionality. (Having users set a password without ensuring their good understanding of what it will be used for also violates secure software UX engineering principles.) |
During the past days, questions about Secure Boot initialization repeated on IRC.
This is what this screen looks like on 16.04 (I don't have an 18.04 or 19.04 screen available, but the users' questions seem to suggest it still looks similar):
https://i.stack.imgur.com/cCTiK.png
Two questions were asked primarily:
* Is this the same password I need to (enter BIOS / login to Ubuntu)?
* Do I need to remember this password?
While there is a "Learn more..." link there which probably leads to more information about how the password is used (unfortunately I do not know what this brings up), I believe this screen creates a serious issue for those users who decide to initialize Secure Boot by setting a password. Many will not keep the passphrase they enter there, will try to remember it but forget it since (except for the next boot) they are not prompted to enter it again until they forget.
In my opinion, this screen should at least say something like "this password is saved into your firmware and you must store it in a secure place where you will find it in years from now". You may want to go as far as recommending to print or write it on a paper and store that securely.
Years ago, few wanted to use Secure Boot, but things are changing and not ensuring that users know what password they wrote to their Firmware equates to breaking part of its functionality. (Having users set a password without ensuring their good understanding of what it will be used for also violates secure software UX engineering principles.)
It should also be encouraged to type in a passphrase rather than password at this point. |
|
