The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
exac 14 minutes ago [-]
Could we not have used braille patterns? Start on a random one and you can just replace the character with the next one so it is possible for the user to see something was entered, but password length isn't given to someone looking over the user's shoulder?
⣾, ⣽, ⣻, ⢿, ⡿, ⣟, ⣯, ⣷
dtech 40 minutes ago [-]
This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
ahofmann 17 minutes ago [-]
I also think it is a good decision.
Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact.
It is still a good decision, an one character password is useless from a security standpoint.
zx8080 12 minutes ago [-]
> It is still a good decision, an one character password is useless from a security standpoint.
Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.
Freak_NL 21 minutes ago [-]
Yes… We're in the same room as the target… Let's look at their screen and see how long their password is.
Or, we could just look at the keyboard as they type and gain a lot more information.
In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.
Tepix 1 hours ago [-]
Why not just display a single character out of a changing set of characters such as
/ - \ |
(starting with a random one from the set) after every character entered?
That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.
drysart 13 minutes ago [-]
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
gzread 57 minutes ago [-]
Because that's still weird and confusing to people and still serves no purpose.
creatonez 31 minutes ago [-]
Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
> That way you can be certain whether or not you entered a character
gzread 43 minutes ago [-]
And the shoulder surger can still count the number of times it changes so you might as well just be normal.
They can also count the number of keystrokes they heard.
Tepix 39 minutes ago [-]
The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture.
oneeyedpigeon 34 minutes ago [-]
Surely looking at your screen seconds/minutes/hours later is the greater risk vector?
blackhaz 37 minutes ago [-]
It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?
rabf 3 minutes ago [-]
Password recovery where you enter your mothers maiden name and favourite food.
jadamson 45 minutes ago [-]
I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?
What's the benefit of having a random character from a random set, instead of just a random character?
oneeyedpigeon 33 minutes ago [-]
I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)
jadamson 27 minutes ago [-]
Ah, and the characters are supposed to be an ASCII spinner.
I think if I was new to Linux that would confuse the life out of me :)
NiloCK 27 minutes ago [-]
There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.
DrawTR 28 minutes ago [-]
They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.
b112 47 seconds ago [-]
For more than four decades, typing a password after a sudo prompt in a Linux terminal
What?!
2026 minus 46 is 1980. There was no Linux, at all, in 1980.
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
yonatan8070 39 minutes ago [-]
Pretty sure the 2s delay is designed to slow down brute-forcing it.
That site is terrible without ads blocked… it’s like a local newspaper site, you had to try and read the content in small snippets wedged between ads!
leni536 2 hours ago [-]
sudo is not the only thing that prompts for password in the terminal. There is at least passwd and ssh.
I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.
timhh 40 minutes ago [-]
Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.
jbverschoor 2 hours ago [-]
Weird argument about the logging password forging the same in a gui. Because it certainly it not when logging in using a terminal locale or ssh for that matter
tsimionescu 2 hours ago [-]
Either way, password lengths are exposed in virtually all scenarios except the Unix Terminal - and have caused 0 issues in practice. The default of hiding password inputs really is useless security theater, and always has been.
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
charcircuit 22 minutes ago [-]
Modern password ui also gives the option to toggle the actual letters on so you can verify that you are actually typing the right thing. Hopefully that doesn't take another 46 years.
sourcegrift 1 hours ago [-]
I've been using a two character password since the last 10 years of my 23 year linux usage; I log in to console and manually start X. Guess the shame will catch up now.
mrweasel 11 minutes ago [-]
Love "manually start X", because I've been considering just doing that. In some weird sense it seems easier.
rich_sasha 18 minutes ago [-]
You could reproduce your UX by switching to a 0-length password.
uecker 47 minutes ago [-]
Funny. But I have to say the shaming of users who have different opinions or want to make different choices (the whole point of free software) is one of the saddest development in the free software world, such as the push for BSD replacements for GPL components, the entanglement of software components in general, or breaking of compatibility, etc. No matter whether you stand, that it is becoming harder to choose components in your system to your liking should give everybody pause. And if your argument involves the term "Boomer" because you prefer the new choice, you miss the point. Android should be a clear warning that we can loose freedoms again very quickly (if recent US politics is not already a warning enough).
pojntfx 1 hours ago [-]
It's fun, leading edge Linux distros (e.g. GNOME OS) are actually currently removing `sudo` completely in favour of `run0` from systemd, which fixes this "properly" by using Polkit & transient systemd units instead of setuid binaries like sudo. You get a UAC-style prompt, can even auth with your fingerprint just like on other modern OSes.
Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.
rich_sasha 19 minutes ago [-]
Why is running a command as an ephemeral systemd unit better? Just curious, I don't have an opinion one way or the other.
Without knowing more, creating a transient unit just to run a single shell command seems quite roundabout.
timhh 36 minutes ago [-]
You make it sound like there was a discussion where they looked at these two alternatives and chose improving sudo over using run0. Actually I just submitted a patch for this and they accepted it. I don't work for Ubuntu and I didn't even know run0 existed until now (it does sound good though; I hope they switch to that).
Elhana 20 minutes ago [-]
Gnome is known for shitty UX, breaking stuff every release and refusing to fix stuff since Gnome3.
1una 55 minutes ago [-]
It's possible to auth with your fingerprint (or even a YubiKey) in sudo. It's a functionality provided by PAM, after all.
CodeCompost 51 minutes ago [-]
How can you stop it asking your password every single time? I asked my LLM and it hallucinated Javascript at me.
why does everyone want some obtuse enterprise version of every command? What ever happened to minimalism? Is having something with half a dozen poorly documented interconnected points of failure really that awesome?
Is this just elitest job security so that people can feel like they're a linux high priest?
silisili 1 hours ago [-]
Ubuntu truly are masters of going all in on being different in a worse way, only to about face soon thereafter.
You'd think by now they'd have learned, but apparently not.
necovek 32 minutes ago [-]
Courage to be different is an open door to creativity.
Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.
Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).
So perhaps they also did a few things right?
(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)
silisili 28 minutes ago [-]
Ubuntu became the most used because they were the first to really dumb down the install process. No insult intended, it was my first distro as well.
Nobody picked Ubuntu because of Mir, or Compiz, or Upstart(or snaps, while we're on the topic). They were obvious errors. That it's popular doesn't negate that fact.
gzread 2 hours ago [-]
Good. It's terrible UX.
The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.
zenethian 48 minutes ago [-]
You got some sources or did you just make that up?
Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.
9dev 41 minutes ago [-]
Yet somehow, none of the other high security tools I have ever interacted with seem to do this for some reason. No auditor flags it. No security standard recommends hiding it.
But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?
creatonez 21 minutes ago [-]
And once you start adding these accessibility problems, people will respond by using weaker passwords.
themafia 1 hours ago [-]
> easier to turn echo on and off than to echo asterisks.
One implies the other. You turn echo off. Then you write asterisks.
> Not for security.
Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.
mikkupikku 17 minutes ago [-]
> One implies the other. You turn echo off. Then you write asterisks.
That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.
uecker 1 hours ago [-]
I would be worried more about leaking the timing of the key presses.
gzread 56 minutes ago [-]
Leaking the length of your password is about as bad for security as leaking the fact that you have a password, or that you use sudo.
ikari_pl 45 minutes ago [-]
It narrows down the brute force domain by several orders of magnitude
28 minutes ago [-]
emil-lp 40 minutes ago [-]
That's obviously false. It narrows it down less than a factor the length of the password, so unless your password is several orders of magnitude, it lowers narrows by a factor of ~8.
gzread 43 minutes ago [-]
No, it doesn't. The set of all passwords of exactly length N is about 1% smaller than the set of all passwords up to and including length N.
blfr 2 hours ago [-]
Just as you get used to something crazy after two decades, have kids, and are about to unleash it on them, it gets fixed. Will there be no boomer pleasures left for us millennials?
nubinetwork 2 hours ago [-]
Is this really the thing we're complaining about though? There's a lot more annoying things in Linux, rather than whether or not I see dots when I login...
How about all the daemons that double log or double timestamp on systemd machines?
eviks 1 hours ago [-]
> sudo password is the same as their login password — one that already appears as visible placeholder dots on the graphical login screen. Hiding asterisks in the terminal while showing them at login is, in the developers’ estimation, security theatre.
So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine
> Confusing — appears frozen
So make it appear flashing? Still doesn't need to reveal length
9dev 46 minutes ago [-]
This is literally never identified as an issue in any other system processing passwords. This feels like a debate by someone who once thought they had a clever idea and can’t let go despite everyone telling them it’s awful.
michaelmrose 49 minutes ago [-]
Is there any reason to have this feature enabled for millions of desktop users vs enable by appropriately paranoid corporate IT departments?
Elhana 23 minutes ago [-]
Millions of desktop users would use empty password if they could.
mikkupikku 4 minutes ago [-]
Most of them would be well enough served by that too. It used to be normal and perfectly suitable for most home users.
childintime 23 minutes ago [-]
46 years of silent sudo passwords.. it just demonstrates how crazy this world is, if this is considered news. It means the code is a living fossil and people live with that fact, instead of demanding (infinite and instant) control over their systems.
This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.
It's time to set software free from the social enclosures we built around it.
Retr0id 18 minutes ago [-]
I'm excited about the future of mutable software, but sudo isn't exactly the kind of thing you want to be patching on-the-fly.
Rendered at 08:20:40 GMT+0000 (Coordinated Universal Time) with Vercel.
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
⣾, ⣽, ⣻, ⢿, ⡿, ⣟, ⣯, ⣷
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.
Or, we could just look at the keyboard as they type and gain a lot more information.
In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc
> That way you can be certain whether or not you entered a character
They can also count the number of keystrokes they heard.
What's the benefit of having a random character from a random set, instead of just a random character?
I think if I was new to Linux that would confuse the life out of me :)
What?!
2026 minus 46 is 1980. There was no Linux, at all, in 1980.
Someone is quite confused.
apt install sudo-ws
apt remove coreutils-from-uutils --allow-remove-essential
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If anyone wants to rewrite PAM in Rust... :-D
https://github.com/linux-pam/linux-pam/issues/778
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...
I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.
Without knowing more, creating a transient unit just to run a single shell command seems quite roundabout.
why does everyone want some obtuse enterprise version of every command? What ever happened to minimalism? Is having something with half a dozen poorly documented interconnected points of failure really that awesome?
Is this just elitest job security so that people can feel like they're a linux high priest?
You'd think by now they'd have learned, but apparently not.
Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.
Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).
So perhaps they also did a few things right?
(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)
Nobody picked Ubuntu because of Mir, or Compiz, or Upstart(or snaps, while we're on the topic). They were obvious errors. That it's popular doesn't negate that fact.
The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.
Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.
But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?
One implies the other. You turn echo off. Then you write asterisks.
> Not for security.
Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.
That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.
How about all the daemons that double log or double timestamp on systemd machines?
So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine
> Confusing — appears frozen
So make it appear flashing? Still doesn't need to reveal length
This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.
It's time to set software free from the social enclosures we built around it.