rebar3_hex icon indicating copy to clipboard operation
rebar3_hex copied to clipboard

Published 20 hours ago verified publisher icon erlef

Some long pasted passwords show up in clear text

Open eproxus opened this issue 3 years ago • 5 comments

When running rebar3 hex user auth and pasting a password that is longer than the terminal width the password shows up in clear text in the terminal:

> rebar3 hex user auth
Username: ([])> test
Account Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Account Password:                         
You have authenticated on Hex using your account password. However, Hex requires you to have a local password that applies only to this machine for security purposes. Please enter it.
Local Password:                         
Local Password (confirm):                         
Generating all keys...                            
===> Failure generating authentication tokens: invalid username and password combination

Even though the prompt shows again, the password is entered correctly and you can proceed.

Environment

> rebar3 --version
rebar 3.14.4 on Erlang/OTP 23 Erts 11.1.8
> rebar3 as global plugins list
--- Global plugins ---
rebar3_hex (6.10.3)

eproxus avatar Mar 04 '21 15:03 eproxus

  1. I have a few TODOs around this area that will at least mitigate this problem a bit I believe. Namely, checking to see if the username/password is right prior to prompting for a local password. What's more prompting the username / password if it comes back wrong.

  2. We along with hex team have discussed moving to a web flow for authenticating vs authenticating with a password. I mention this because my hunch is that the odd paste behavior is around how we handle masking, and also how mix hex handles it as well.

I'm not sure that 2. obviates addressing the issue you've created because I don't know exactly when that will be. I or someone will look into this as soon as possible.

starbelly avatar Mar 04 '21 16:03 starbelly

Potentially related (to Bryan's expectations/future changes): when you write the local password it seems to write the character and then hide it. I'm not sure this is possible to change, but if filmed, for example, might be a security risk.

paulo-ferraz-oliveira avatar Mar 04 '21 16:03 paulo-ferraz-oliveira

@paulo-ferraz-oliveira yes, precisely. We do this because there are issues with doing it a "better" way. Specifically, you can run into gotchas around IO in subsequent operations and this is the only solution that works on windows.

starbelly avatar Mar 04 '21 19:03 starbelly

(we can always tell the user to enter the password while covering it with his/her hands 😄)

paulo-ferraz-oliveira avatar Mar 04 '21 22:03 paulo-ferraz-oliveira

@starbelly, newer version of Erlang (thinking 26+, or even 27) already do something in regards to "hiding the password as you type it" better, right?

paulo-ferraz-oliveira avatar Apr 08 '24 23:04 paulo-ferraz-oliveira