Sudo-rs just broke 46 years of security tradition, and users aren't happy

4 min read Original article ↗
A laptop showing a manual page in the Linux terminal

Simon is a Computer Science BSc graduate who has been writing about technology since 2014, and using Windows machines since 3.1. After working for an indie game studio and acting as the family's go-to technician for all computer issues, he found his passion for writing and decided to use his skill set to write about all things tech.

Since beginning his writing career, he has written for many different publications such as WorldStart, Listverse, and MakeTechEasier. However, after finding his home at MakeUseOf in February 2019, he would eventually move on to its sister site, XDA, to bring the latest and greatest in Windows, artificial intelligence, and cybersecurity topics.

Sign in to your XDA account

Summary

  • sudo-rs now shows asterisks by default, replacing decades of invisible sudo password input.
  • Dev argues that asterisks fix a major UX pain point for new users, with a slight security trade-off.
  • Ubuntu 26.04 ships it; annoyed users can revert via 'Defaults !pwfeedback' in sudoers, but the feature is marked 'Won't Fix.'

As an ex-Windows user, one of the weirder moments I had when getting used to Linux was how sudo 'eats' your password. If you've never used it before, sudo won't show any visual feedback as you type your password. There are no asterisks, no moving cursors, and no sound effects. It's to prevent people who are looking over your shoulder from guessing your password based on its length, but if you're not used to it, it feels like you're not typing anything in at all.

Well, the rewrite of sudo, sudo-rs, has decided to scrap the original's 46-year-old password-hiding feature. Now, when you type in your password, it will show up as asterisks. Unfortunately, people are not happy with the change, and it's easy to see why.

Running the tldr command on Ubuntu

Sudo-rs enables password feedback asterisks by default

And people aren't pleased

Screenshot of a Linux terminal using an alias to run a previously executed command with sudo

As spotted by Phoronix, this story begins as a commit made to sudo-rs two weeks ago. Titled "Enable pwfeedback by default," the change enables the password asterisks by default, which people can disable if they want to go back to the invisible method.

Here's the justification for the change as per the commit:

Change the default so that asterisks are shown when entering passwords. It is still possibly to disable the asterisks by explicitly turning `pwfeedback` off.

This fixes a major UX pain point for new users. Security is theoretically worse since password lengths are exposed to people watching your screen, but this is an infinitesimal benefit far outweighed by the UX issue. Outside of sudo/login no other password entry interfaces omit asterisks (including others on Linux).

Fast forward to today, and that version of sudo-rs is now live on Ubuntu 26.04. Now people are typing in their passwords into Ubuntu, only to find that sudo-rs is showing the length of their password, which isn't how the original version of sudo has done things for over four decades.

As you might imagine, people aren't happy. One bug report for Ubuntu 26.04, titled "sudo-rs echos * for every character typed breaking historical security measures older than I am," shows someone's ire toward the new system. They do use one case of strong language, so be careful of who's looking over your shoulder when you open that link (ironically enough); however, the jist of the bug report is that using asterisks by default "goes against decades of not echoing the length of the password to shoulder surfers," and simply demands the people responsible to "fix this."

Simon Johnsson of Ubuntu visited the thread, telling the irate user that the change "has been introduced to improve the user experience for inputting the password," and that they can type "sudo visudo" and add the line "Defaults !pwfeedback" to the file. However, the original bug reporter was left unimpressed, and the report itself has been marked as "Won't Fix".