https://bugs.kde.org/show_bug.cgi?id=461614
Bug ID: 461614 Summary: It is very simple to obtain WiFi passwords as plain text Classification: Plasma Product: plasma-nm Version: unspecified Platform: Other OS: Linux Status: REPORTED Severity: wishlist Priority: NOR Component: general Assignee: plasma-b...@kde.org Reporter: quique...@gmail.com CC: n...@kde.org Target Milestone: --- Copy&Paste from Gitlab: ****** I want to share with us an issue I have found with my users experience. I am one of the developers of LliureX, a Neon based distribution used by public schools in Valencia, Spain. We have been using ethernet based classrooms since now. Covid-19 event has changed that, well, politicians. Now classrooms are based on laptops connected to WiFi, with either a common password (classic WPA) or enterprise one, where each student has its own user/password. Thing is, wifi passwords can be seen on plain text easily. So once a student sets up his WPA Enterprise connection, it is two clicks distance from seen his credentials in plain text. Even QR codes can be generated with that. Yes, I am aware that no desktop should be left untended without locking, but we are talking about kids or even teachers, with no IT security training at all. Once credentials are stolen, they can use them to impersonate another user and try to access some probably forbidden pages, or even access to cloud services, as credential is shared. I know this is a bit ill-designed from Wireless standard, where no one found important to keep a password secret, but, would be possible to add an extra step in order to show the password? Perhaps, unlocking with login password. ****** Nate asked me on Gitlab how students log in into desktop. Students should log in using their own (private) credentials. Now are ldap backed because laptops are shared between students (we are far from a 1:1 student/laptop ratio), but if a student needs a computer at home, I see no problem with classic local unix accounts. There are some schools using auto-login or some sort of well known user (ie: foo/bar) but of course we advise against this model for obvious security and privacy reasons. I have written this because Aleix asked me to do it. I think it is not Plasma fault here, because hiding passwords on plasma-nm won't stop some smart kid to open a terminal and type: nmcli connection show foo --show-secrets My point is to show that perhaps, we have designed Linux desktops with a safe home environment in mind and we have to spend some time thinking on "hostile" environments. Thank you guys in advance for give me some place to talk about this :D -- You are receiving this mail because: You are watching all bug changes.