Shattering a 45-Year Tradition: Why Ubuntu 26.04 is Finally Adding Asterisks to Sudo

For decades, the execution of sudo or analogous operations within Linux distributions has demanded a password while steadfastly denying the user any visual feedback upon the screen; the interface betrays no asterisks, no dots, nor any advancement of the cursor.

This austere design was originally conceived as a security safeguard. Upon creating sudo in 1980, developers at the State University of New York at Buffalo deliberately obscured the input state to thwart any clandestine observer from discerning the password’s length.

This venerable tradition has endured for over forty-five years; nevertheless, its contemporary merits are profoundly trivial, whilst its potential to diminish the user experience is palpable, as individuals are left entirely bereft of confirmation regarding the efficacy of their keystrokes.

Consequently, the Linux Mint distribution has elected to enable visual password feedback by default. Given that the heavens have not collapsed in the wake of this alteration, Canonical is now poised to adopt this very measure.

Canonical is presently re-engineering sudo utilizing the Rust programming language. Within this nascent iteration, the developmental vanguard has enabled visual password feedback by default, signifying that the user’s keystrokes shall be manifested as asterisks to denote input progress.

Unsurprisingly, this refinement immediately elicited vehement opposition from a faction of users. Detractors argued that rendering an asterisk for every inscribed character shatters the hallowed security paradigm of sudo.

Equally unsurprisingly, the Ubuntu developmental cohort categorically dismissed these critiques. The sudo-rs architecture shall persist in enabling the pwfeedback parameter by default, destined for its ultimate debut within the Ubuntu 26.04 LTS release.

The philosophical consensus betwixt the Ubuntu and sudo-rs development teams asserts that perpetuating the concealment of the input state at this juncture is naught but security theater, offering no substantive augmentation to actual safety.

For instance, any adversary capable of accurately tallying the asterisks adorning your display is undoubtedly positioned to observe the dance of your fingers upon the keyboard or to aurally register the cadence of your keystrokes. More fundamentally, the overwhelming majority of users employ identical credentials for both sudo authorization and system login; paradoxically, the login interface readily betrays the password’s length via placeholder dots.

Therefore, an obstinate adherence to absolute input concealment is profoundly devoid of logic. The vanguard behind both sudo-rs and Ubuntu remains fiercely resolute in advancing the pwfeedback configuration.

Indeed, it is. Should certain purists retain an affinity for an interface utterly devoid of feedback, they possess the liberty to unilaterally disable the pwfeedback parameter. The methodology for this prohibition is as follows:

sudo visudo
# Append the ensuing directive to the sudoers file and preserve the changes:
Defaults !pwfeedback

Thereafter, the modification shall instantaneously manifest within any newly conjured terminal, entirely obviating the necessity for a systemic reboot.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy