Pixel Envy

Written by Nick Heer.

Insecure Keyboard Entry

Daniel Jalkut made a little tool to alert him any time he tries to enter his password in a non-password field on his Mac. Turns out, there are a couple of places in OS X that look and work like secure password entry fields, but aren’t. Like Terminal:

The nice “•” is new to Yosemite, I believe. Previously tools such as sudo just blocked typing, leaving a blank space. But in Yosemite I notice the same “secure style” bullet is displayed in both sudo and ssh, when prompting for a password. To me this implies a sense of enhanced security: clearly, the Terminal knows that I am inputting a password here, so I would assume it applies the same care that the rest of the system does when I’m entering text into a secure field. But it doesn’t. When I type my password to sudo something in the Terminal, my little utility barks at me. There’s no way around it: it saw me typing my password. I confirmed that it sees my typing when entering an ssh password, as well.

There are a couple of radars that are dupe-able in Jalkut’s post, too.