the following "bug" occures quite often during first login (and probably beyond): 1. login prompt shows up. 2. user enters username und confirms with [Enter] 3. systems gets a little load in background, while user continues with typing his password with normal speed. 4. the first few characters of the users password are beeing displayed in plain text on /dev/console while the rest lands in the "real" password prompt as "*". 5. user presses [Enter] again to confirm password and receives a "login incorrect" message and is simultaneously surprised and shocked to see part of his/her password in plain text on the screen/console. I asked around in #gentoo.de and it seems like many people know this phenomenon und also it seams not to be hardware-related, so either slow notebooks _and_ fast desktop PCs are equally vulnerable. (first i suspected this to be a "slow-HDD"-problem only, but i got corrected by feedback on irc.) I dont know how to correct this bug myself, but i know for example, that in ncurses based software development there is such a thing like the "noecho()" command, which disables output to the console even if user keeps on typing stuff. My suggestion is to implement such a thing that acts like ncurses noecho() to suppress keyboard input from user until all internal processes/threads of /bin/login are ready to prompt (_and_ receive) the users password. In the (sometimes) short meantime between "login: <passwd>[Enter]" and "password: "-prompt there should be no output to console for user-interactions. This bug sure is not *critical*, but i have the feeling that it is not very difficult to fix it. (if you knew ANSI C, i guess :D ). It sure wont help on getting "login incorrect"-messages if you really challenge the login-prompt by too quick typing, but at least the _precious_ user passwd wont be displayed in plain text on screen or even send all over the inet via telnet & co. in worst case. Bye.
Setting to auditing for confirmation
so the bug is that if a user types in their password when login hasnt prompted for it, the password can be seen on the console? I'm marking this as invalid, as if login hasnt prompted for it, you shouldnt type it in, so PEBKAC, we cant protect users who type in their password indiscrimnately from themselves.
a ton of applications "suffer" from this "bug" you could do the same thing with ssh for example