WPA passphrase is echoed in gui

Bug #476982 reported by mnoe on 2009-11-06
280
This bug affects 5 people
Affects Status Importance Assigned to Milestone
wicd
Medium
David Paleino

Bug Description

This bugreport is similar to bug #237735 (https://bugs.launchpad.net/wicd/+bug/237735) which is still present in Wicd version 2.0 on Ubuntu 9.10 (Karmic Koala).

When entering the passphrase for encrypted networks, it is echoed in the input box and can therefore be read by anyone looking over my shoulder. Even though it might not be a security vulnerability in a technical sense, I consider it one because I am forced to make sure nobody is watching while typing, which can be impossible in public places. At my university for example I need to log into the PEAP encrypted WLAN using the username and passphrase for my main university account, which gives me also access to e-mail, vpn, examination results, e-learning platform etc. If someone gets hold of this data, they can easily impersonate me and cause serious trouble.

Please make the input box display asterisks, dots or nothing, as does every other password-dialog I am aware of. Expecting this (in my opinion normal and sane) behaviour, I was quite shocked to see my password echoed on screen.

Thanks for considering,
regards

Matthias Noe

mnoe (matthias-noe) on 2009-11-06
visibility: private → public
mnoe (matthias-noe) wrote :

I have to correct myself, according to aptitude this is Wicd version 1.6.2.2-1 not 2.0 as shown by the "About" screen of the tray icon. Sorry.

cirne100 (cirne100) wrote :

I completely agree! I can not understand why this feature!

reyammer (reyammer) on 2011-05-25
Changed in wicd:
status: New → Confirmed
reyammer (reyammer) wrote :

Few days ago I uploaded a branch that addresses this issue.

A CheckButton is added near each entry that has to be protected, in a way that the user can decide to show/hide the password.
In the attachment, you can see a screenshot.

Any feedbacks?

fox91 (fox1991) wrote :

great! i would add a "show passphrase" checkbox near every password field

David Paleino (dpaleino) wrote :
Changed in wicd:
assignee: nobody → David Paleino (dpaleino)
milestone: none → 1.7.1
importance: Undecided → Medium
status: Confirmed → Fix Committed
Dominik Heidler (dheidler) wrote :

With PEAP/TKIP the identity is masked, but the password is not. - using wicd-curses 1.7.0

no longer affects: archlinux
David Paleino (dpaleino) on 2012-02-05
Changed in wicd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers