Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some long pasted passwords show up in clear text #204

Open
eproxus opened this issue Mar 4, 2021 · 5 comments
Open

Some long pasted passwords show up in clear text #204

eproxus opened this issue Mar 4, 2021 · 5 comments

Comments

@eproxus
Copy link

eproxus commented Mar 4, 2021

When running rebar3 hex user auth and pasting a password that is longer than the terminal width the password shows up in clear text in the terminal:

> rebar3 hex user auth
Username: ([])> test
Account Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Account Password:                         
You have authenticated on Hex using your account password. However, Hex requires you to have a local password that applies only to this machine for security purposes. Please enter it.
Local Password:                         
Local Password (confirm):                         
Generating all keys...                            
===> Failure generating authentication tokens: invalid username and password combination

Even though the prompt shows again, the password is entered correctly and you can proceed.

Environment

> rebar3 --version
rebar 3.14.4 on Erlang/OTP 23 Erts 11.1.8
> rebar3 as global plugins list
--- Global plugins ---
rebar3_hex (6.10.3)
@starbelly
Copy link
Member

  1. I have a few TODOs around this area that will at least mitigate this problem a bit I believe. Namely, checking to see if the username/password is right prior to prompting for a local password. What's more prompting the username / password if it comes back wrong.

  2. We along with hex team have discussed moving to a web flow for authenticating vs authenticating with a password. I mention this because my hunch is that the odd paste behavior is around how we handle masking, and also how mix hex handles it as well.

I'm not sure that 2. obviates addressing the issue you've created because I don't know exactly when that will be. I or someone will look into this as soon as possible.

@paulo-ferraz-oliveira
Copy link
Collaborator

Potentially related (to Bryan's expectations/future changes): when you write the local password it seems to write the character and then hide it. I'm not sure this is possible to change, but if filmed, for example, might be a security risk.

@starbelly
Copy link
Member

@paulo-ferraz-oliveira yes, precisely. We do this because there are issues with doing it a "better" way. Specifically, you can run into gotchas around IO in subsequent operations and this is the only solution that works on windows.

@paulo-ferraz-oliveira
Copy link
Collaborator

(we can always tell the user to enter the password while covering it with his/her hands 😄)

@paulo-ferraz-oliveira
Copy link
Collaborator

@starbelly, newer version of Erlang (thinking 26+, or even 27) already do something in regards to "hiding the password as you type it" better, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eproxus @paulo-ferraz-oliveira @starbelly