Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.

These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.

I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.

They could have just made it an option to enable the new behavior. There was no need to change the default.

As for security: 'shoulder surfing' may not be as much of a concern, but watching a livestream or presentation of someone who uses sudo will now expose the password length over the internet (and it's recorded for posterity, so all the hackers can find it later!). They've just introduced a new vulnerability to the remote world.

I'm glad to see this change. This was already the case for GUI password prompts, and I'm happy to see terminals following suit.

This wasn't someone seeing Chesterton's fence and deciding to knock it down thoughtlessly. This is a change that someone can in fact think all the way through and say "yeah, this should be changed, it's an improvement and doesn't cause any meaningful reduction in security".

Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.

A few years ago, [0] made the following point in regards to password input feedback:

> For a time, there was rich pickings in applications that accepted passwords in unbuffered mode. Many of them doing it so that they could echo "*" symbols, character by character, as the user typed. That simple feature looks cool, and does give the user feedback ... but would leak the keystroke rate, which is the last thing you want on password entry.

This was in response to keystroke timing defense on SSH. Does this feature still come with the risk of leaking keystroke timing to an attacker with recent OpenSSH/Dropbear versions? If so, it might be wise to keep it disabled on servers.

[0]: https://news.ycombinator.com/item?id=37309122

This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.

In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.

Why not just display a single character out of a changing set of characters such as / - \ | (starting with a random one from the set) after every character entered? That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.

Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.

How much information is there in knowing the length of someone's password?

If we know the password's length, it saves us from guessing any shorter passwords. For example, for a numeric password, knowing the length is 4 saves us from having to guess [blank], 0-9, 00-99 and 000-999. This lowers the number of possibilities from 1111 to 1000. The password has 90% of it's original strength. A [0-9a-zA-Z] password retains 98% of it's original strength

I did this!

I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.

If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.

> The catalyst for Ubuntu’s change is sudo-rs

Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.

I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.

If anyone wants to rewrite PAM in Rust... :-D

https://github.com/linux-pam/linux-pam/issues/778

This fixes another issue with that if you make a typo in your password, you don't know how many characters you need to delete, but now you would.

BTW, you can also enable the PW feedback on the classic sudo. I've done that on one of my hosts

How many people with a loud mechanical keyboard shut their microphone to type a password whem sharing their screen in an audio/video call?

This is a good UX change, one of many UX improvements needed on CLIs.

Not showing feedback on user input is objectively confusing for inexperienced users.

sudo is not the only thing that prompts for password in the terminal. There is at least passwd and ssh.

I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.

> and further adoption of Rust-based core utilities — including uutils/coreutils

Is it usable now? Do all utilities support all of GNU's features (or most)?

Inacceptable! This incident will be reported.

This was actually the thing that derailed my first attempt at Linux. I was like 14 or 15 and didn’t understand that concept so couldn’t log in lol

I kind of hate typing in my password all the time. Is there a way to sacrifice some security and do something like... ask for my password but automatically input it if my phone is detected via Bluetooth? (not connected, just detected).

I don't really want to just disable passwords. I recall that causing technical pains. And this is a desktop PC in my home office and I'm just generally okay with the associated security risks.

Deoxodizing is rather easy for now:

apt install sudo-ws

apt remove coreutils-from-uutils --allow-remove-essential

When I wrote the login program for my VSTa microkernel, I took a page from the CDC side of the world--it echoes a _random_ (but small, non-zero) number of *'s. So you get feedback, but indeed peering over your shoulder will not disclose password length.

And yes, it remember how many it echoes so backspace works correctly.

The paranoids have had a say in way to many things, way to loud, way to long.

I'd think this is OK but I'm not sure if another Option to just give feedback of keyboard activity would combine the best of both worlds.

A space with a cursor instead of an asterisk would make it harder to count the Chars

Adding a random 1 to 3 output chars instead of one would obfuscate this even more.

A delayed output could make you submit the password prompt before showing anything.

A single asterisk that switches back to space after 250ms inactivity may even be better.

I don't know, but somehow this feels underthought even if it probably is not. Simple is probably the best approach

Stop trying to fix what is not broken. If people have issues with latency or typing then the solution is not to "bypass" it.

Good!

I always thought it was annoying anyway.

How many times I pressed backspace more than I typed because holding backspace probably didn't work... This is a good change IMHO. Laggy remote SSH sessions will be slightly better.

The title kind of implies that silent sudo passwords have been a part of Ubuntu for the last 46 years.

So now there's a few additional steps when I install a new distribution to make certain that classic sudo is the one installed, rather than sudo-rs

I'm sure someone things this is a good idea, but I do not, and nobody cares what I think. But I come from being a long-time coder who's always been a terrible typist and can't depend on "touch typing" and have to actually look at things, like the keys, and the screen. And handicapped by going blind in one eye, and having arguments with eye doctors who say "get used to it and switch to audio books" and needing 14-point boldface fonts for everything.

JCBP!

They could give feedback about key presses without giving away the password length quite easily

> sudo password is the same as their login password — one that already appears as visible placeholder dots on the graphical login screen. Hiding asterisks in the terminal while showing them at login is, in the developers’ estimation, security theatre.

So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine

> Confusing — appears frozen

So make it appear flashing? Still doesn't need to reveal length

Secure keyboard tty entry interaction by the terminal should manage this rather than implement it in one app. Another advantage of this method is that such affordances can be generated or silenced locally, and it's code that can be shared when used with passwd, pinentry, etc. and sudo rather than implemented N times.

Modern password ui also gives the option to toggle the actual letters on so you can verify that you are actually typing the right thing. Hopefully that doesn't take another 46 years.

I've been using a two character password since the last 10 years of my 23 year linux usage; I log in to console and manually start X. Guess the shame will catch up now.

I've never once thought I wish I could see password characters when typing sudo.

It feels like dumbing down the cli.

But I don't know if this is an elder millenial walk up hill in the snow both ways kind of thing though.

Am I alone in this?

Weird argument about the logging password forging the same in a gui. Because it certainly it not when logging in using a terminal locale or ssh for that matter

I don’t know why this keeps coming up. Has this been a big deal for everyone else? Like ok usability improvement, but the number of times I have read an article about this is silly.

If it is a new tool, why not call it something else than sudo?

The expectation with sudo is silent passwords.

That site is terrible without ads blocked… it’s like a local newspaper site, you had to try and read the content in small snippets wedged between ads!

Just as you get used to something crazy after two decades, have kids, and are about to unleash it on them, it gets fixed. Will there be no boomer pleasures left for us millennials?

[dead]

For more than four decades, typing a password after a sudo prompt in a Linux terminal

What?!

2026 minus 46 is 1980. There was no Linux, at all, in 1980.

Someone is quite confused.

[dead]

Good. It's terrible UX.

The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.

It's fun, leading edge Linux distros (e.g. GNOME OS) are actually currently removing `sudo` completely in favour of `run0` from systemd, which fixes this "properly" by using Polkit & transient systemd units instead of setuid binaries like sudo. You get a UAC-style prompt, can even auth with your fingerprint just like on other modern OSes.

Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.

Could we not have used braille patterns? Start on a random one and you can just replace the character with the next one so it is possible for the user to see something was entered, but password length isn't given to someone looking over the user's shoulder?

⣾, ⣽, ⣻, ⢿, ⡿, ⣟, ⣯, ⣷

46 years of silent sudo passwords.. it just demonstrates how crazy this world is, if this is considered news. It means the code is a living fossil and people live with that fact, instead of demanding (infinite and instant) control over their systems.

This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.

It's time to set software free from the social enclosures we built around it.