Summary
- sudo-rs now shows asterisks by default, replacing decades of invisible sudo password input.
- Dev argues that asterisks fix a major UX pain point for new users, with a slight security trade-off.
- Ubuntu 26.04 ships it; annoyed users can revert via ‘Defaults !pwfeedback’ in sudoers, but the feature is marked ‘Won’t Fix.’
As an ex-Windows user, one of the weirder moments I had when getting used to Linux was how sudo ‘eats’ your password. If you’ve never used it before, sudo won’t show any visual feedback as you type your password. There are no asterisks, no moving cursors, and no sound effects. It’s to prevent people who are looking over your shoulder from guessing your password based on its length, but if you’re not used to it, it feels like you’re not typing anything in at all.
Well, the rewrite of sudo, sudo-rs, has decided to scrap the original’s 46-year-old password-hiding feature. Now, when you type in your password, it will show up as asterisks. Unfortunately, people are not happy with the change, and it’s easy to see why.
Ubuntu is the reason Windows users don’t want to switch to Linux
First impressions matter
Sudo-rs enables password feedback asterisks by default
And people aren’t pleased
As spotted by Phoronix, this story begins as a commit made to sudo-rs two weeks ago. Titled “Enable pwfeedback by default,” the change enables the password asterisks by default, which people can disable if they want to go back to the invisible method.
Here’s the justification for the change as per the commit:
Change the default so that asterisks are shown when entering passwords. It is still possibly to disable the asterisks by explicitly turning `pwfeedback` off.
This fixes a major UX pain point for new users. Security is theoretically worse since password lengths are exposed to people watching your screen, but this is an infinitesimal benefit far outweighed by the UX issue. Outside of sudo/login no other password entry interfaces omit asterisks (including others on Linux).
Fast forward to today, and that version of sudo-rs is now live on Ubuntu 26.04. Now people are typing in their passwords into Ubuntu, only to find that sudo-rs is showing the length of their password, which isn’t how the original version of sudo has done things for over four decades.
As you might imagine, people aren’t happy. One bug report for Ubuntu 26.04, titled “sudo-rs echos * for every character typed breaking historical security measures older than I am,” shows someone’s ire toward the new system. They do use one case of strong language, so be careful of who’s looking over your shoulder when you open that link (ironically enough); however, the jist of the bug report is that using asterisks by default “goes against decades of not echoing the length of the password to shoulder surfers,” and simply demands the people responsible to “fix this.”
Simon Johnsson of Ubuntu visited the thread, telling the irate user that the change “has been introduced to improve the user experience for inputting the password,” and that they can type “sudo visudo” and add the line “Defaults !pwfeedback” to the file. However, the original bug reporter was left unimpressed, and the report itself has been marked as “Won’t Fix”.
