Show Asterisks While Typing Sudo Password in Linux

Security is paramount in any GNU/Linux environment. One common concern is the visibility of passwords, especially when using sudo. By default, when you type your password for sudo, nothing is displayed on the screen. This "blank" input is a security measure, but some users prefer to see asterisks (*) or other characters as they type to confirm that something is being entered.

This guide will explore how to configure your GNU/Linux system to display asterisks or other masking characters when typing your sudo password, along with important security considerations.

But Why Mask Passwords?

Actually, The primary reason for masking passwords (showing nothing or showing masking characters) is to prevent shoulder surfing. If someone is looking over your shoulder while you type your password, they could potentially see it. Masking makes it much harder for someone to visually capture your password.

The Default Behavior (No Echo)

The default behavior of sudo (and most password prompts in GNU/Linux) is to disable echoing. This means that characters are not displayed on the screen as you type them. This is the most secure option as it prevents the password from being displayed even momentarily.

Why Some Users Prefer Asterisks

While the default behavior is the most secure, some users prefer to see asterisks for the following reasons ?

• Confirmation ? Seeing asterisks confirms that something is being entered, giving the user confidence that the system is registering their keystrokes. This can be especially helpful if the keyboard is having issues or the user is typing quickly.
• Preventing Typos ? While not directly showing the password, seeing asterisks can help users realize if they've accidentally hit the wrong keys or if the focus is not in the correct place.

Methods for Showing Asterisks (or Other Masking Characters):

Using sudo visudo and pwfeedback (The Only and The Recommended):

The most secure and recommended way to enable password feedback for sudo is by modifying the /etc/sudoers file using the visudo command. This ensures that the changes are syntactically correct and prevents accidental corruption of the file.

sudo visudo

Add or modify the following line in the /etc/sudoers file ?

Defaults pwfeedback

Save and exit the file.

This will display asterisks when you type your sudo password.

Customizing the Masking Character

The pwfeedback option also allows you to customize the character used for masking. You can specify a different character after pwfeedback ?

• Defaults pwfeedback="*" # Asterisk (default)
• Defaults pwfeedback="." # Period
• Defaults pwfeedback="-" # Hyphen

Security Considerations

• Shoulder Surfing Risk ? Even with asterisks, there's still a risk of shoulder surfing, especially if the password is short or simple. Masking characters reduce the risk, but they don't eliminate it entirely.
• No True Security Guarantee ? Showing asterisks does not increase the actual security of your password. The password itself is still transmitted securely (or should be) to the system for verification. The masking is purely a visual aid for the user.
• Use Strong Passwords ? The most important security measure is to use strong, unique passwords that are difficult to guess. Masking characters are a secondary measure.
• visudo is Essential ? Always use visudo to edit the /etc/sudoers file. Directly editing it can lead to syntax errors that can lock you out of your system.

Best Practices

• Use pwfeedback in /etc/sudoers ? This is the recommended and most secure way to enable password feedback for sudo.
• Choose a masking character you prefer ? You can customize the masking character to your liking.
• Use strong passwords ? This is the most crucial security practice.
• Be aware of shoulder surfing risks ? Even with masking, be mindful of who might be watching you type your password.
• Keep your GNU/Linux system updated ? Regularly update your system to any security vulnerabilities.

Conclusion

While the default "no echo" behavior for sudo passwords is the most secure, using pwfeedback in /etc/sudoers to display asterisks can offer a balance between security and user experience. Remember that masking is primarily a visual aid and does not replace the need for strong passwords and other security best practices. By following the recommendations in this guide, you can enhance the usability of sudo while maintaining a secure GNU/Linux environment.