sudo
is probably the most famous command in the Linux world. It allows ordinary users to run other commands or programs using the superuser privileges, which will allow them to do system-wide changes or modifications that they weren’t able to do with their ordinary user privileges.
Table of Contents:
The Current Situation
By default on all Linux distributions, when you run the sudo
command, you’ll need to enter the superuser password just like below:
One thing to be noticed from the picture above is that the password is hidden. When users write anything at that time, nothing will be displayed on the screen, not even asterisks. They’ll have to trust that there’s something written in the terminal and just write their passwords and hit Enter.
Historically, this is done for both ease of implementation and security reasons. It makes it difficult for people standing near your shoulder from knowing your password length. If they don’t know your password length, it would be harder for them to guess it. They can, of course, listen to the keystrokes you are hitting and try to guess how many characters did you hit? But that’s more difficult than just looking at the screen and counting the number of asterisks there.
Also, when they see that your password is too long, they might not even try to use your computer and guess your password. But if your password is less than few characters, it will give them hope.
Additionally, in terms of implementation, displaying an asterisk instead of the password character requires more code and work to do. In the terminal, when you write normal commands and you see them in the terminal, it’s because the “echo mode” is set to On
, meaning that all characters will be displayed on your screen. In sensitive commands, however, such as sudo
or passwd
, “echo mode” is set to Off
, which simply doesn’t take the extra step of printing those characters to the screen. So that’s less work and code to do, and it went on like that since the Unix days to simply hide the password characters.
The issue
From a user experience perspective, and talking about the new users of Linux distributions, and very non-techy people who might need to use the sudo
command, the current way this is done doesn’t give them any explanation or hint about why the keys that they are hitting aren’t displayed in the screen when they write their passwords. They would think that there’s an issue in the system or their keyboards, because no visual feedback is given.
Of course, as people who use Linux or other Unix-like systems for years, this is a trivial thing for us. But for new people, and ordinary teachers, doctors, your grandpa or my aunt, this is a very bad user experience. Users do expect to get feedback on the screen when they hit keyboard keys, which isn’t being done here.
A workaround would be to run sudo visudo
command, and then changing the Defaults env_reset
line to Defaults env_reset, pwfeedback
, and then saving the file and exiting:
From now on, sudo
will display asterisks when you enter your passwords:
A Proposal
Major Linux distributions should take this issue into consideration and try to fix it. There are two approaches that we see as feasible:
- Just like the above, make
sudo
display asterisks when you enter your password. But that will take away the little advantage of people not knowing the length of your password. Whether this advantage is actually needed or not in real world is open to discussion. - Display a text message whenever the
sudo
command is called that explains what’s happening and why the characters aren’t being displayed. A normalsudo
use case then would be:mhsabbagh@potatopc:~$ sudo synaptic Note: Keys you write now are not going to be displayed on the screen for security reasons, but the system does receive them. [sudo] password for mhsabbagh:
In that way, the terminal would still not display the password characters as they are being entered, but first-users will realize and understand that what they are writing is actually there, not that there’s an issue or a problem in their keyboard.
Conclusion
We have seen so far why is this an issue, how to workaround it and what are the possible permanent solutions for it. If you are a member of any major Linux distribution community, it would be a good idea to discuss this topic with your distribution’s developers and see what they think about it.
In the meantime, we would like to know about your opinions in the comments below.
With a B.Sc and M.Sc in Computer Science & Engineering, Hanny brings more than a decade of experience with Linux and open-source software. He has developed Linux distributions, desktop programs, web applications and much more. All of which attracted tens of thousands of users over many years. He additionally maintains other open-source related platforms to promote it in his local communities.
Hanny is the founder of FOSS Post.