Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

Original Article ↗ Hacker News Discussion ↗

Overall sentiment

  • Many welcome showing asterisks for sudo as long‑overdue UX; a substantial minority sees it as unnecessary or a security regression.
  • Several note this is already standard in GUIs and some distros (e.g., Mint) and view Ubuntu’s change as catching up.

UX motivations and real‑world pain points

  • Silent prompts confuse newcomers; some report Linux adoption being delayed because they thought password entry was “broken.”
  • High‑latency SSH, flaky keyboards, and screen sharing make it hard to know if keystrokes registered; people resort to typing in text editors then pasting, which is worse for security.
  • Accessibility: users who aren’t strong typists or have vision issues value visible feedback. Discoverability of shortcuts like Ctrl‑U is poor.

Security and password‑length debate

  • Pro‑change: knowing length is negligible for strong passwords; most modern attack models involve stolen hashes or credential stuffing, not live brute force at a sudo prompt.
  • Counterpoint: even small hints (exact length, keystroke timing, livestream recordings, remote observation) are still information leakage, and can help attackers triage weak targets.
  • Some call the old behavior “security theater”; others argue that even small, cheap protections are worthwhile, especially on shared or high‑risk systems.
  • There’s technical back‑and‑forth on how much length knowledge actually shrinks brute‑force space; consensus in the thread is that for reasonable lengths it barely matters.

Configurability and scope

  • Behavior comes from sudo-rs on the host; SSH’ing into a system without it won’t show stars.
  • It can be reverted via Defaults !pwfeedback in sudoers; Ubuntu also added a one‑off “press Tab to hide this time” behavior.
  • Some argue it should have remained opt‑in; others say accessibility features must default to “on” to have impact.

Rust, PAM, and alternatives

  • Change arrived via a community patch to sudo‑rs; some see Rust rewrites as enabling long‑stalled UX fixes, others see them as unnecessary churn or “virtue signaling.”
  • Related subthread on PAM’s 2‑second delay for wrong passwords: some see it as pointless for local brute force; others insist it’s intentional rate‑limiting.
  • A few argue sudo itself is legacy and prefer systemd’s run0 + Polkit/UAC‑style prompts.

Alternative designs and side effects

  • Multiple proposals: spinners, transient asterisks, random multi‑asterisk echoes, i3lock/xsecurelock‑style indicators to show activity without fixed length.
  • Concerns raised about breaking expectations in automation tooling that parses sudo prompts.
  • Broader philosophical split: protect every last bit of secrecy vs. prioritize usability so people are willing and able to use strong credentials.