[Feature Request] [Discussion] Reset forgotten password in login screen

Already speaking in third person?
I do not see that kind of tv-shows you seem to love, sorry. I guess you’re thinking of that super-duper hacker which connects remotely using a toaster and hacks NSA servers in a few seconds, while speaking with the protagonists. I have a secret to tell you: it’s all fiction.

I didn’t accuse you of anything, just pointed that a login without a password is not the same as having a password and forgetting it, and asked everyone to stay on topic.

But hey, develop that idea, perhaps I understood it wrong. You mean to SDDM to remember the password and autologin or remove the password with passwd -d username?

What would be the process? What would be the security implications? (for example your 3 years old child turning on the computer and deleting accidentally something while playing with the mouse and pounding on the keyboard? How we could reset the password on login? It would be necessary? What about if the user some day sets a password o sets SDDM to not to autologin?

No, you categorically stated anyone with access to Google could do it.
EDITED: I’ve just saw you didn’t state that, my bad, but as you are already speaking of “we”, I think the following also can be applied for you.
So, go on, I guess you know how to use it. I can state two questions more, the number of the plate of my very first car, and the name of my pet. The answers are in this paste, which will be destroyed in one month, so once you have them, I will give you the password for that paste to confirm I’m not cheating when I say you’re wrong.

And then, once you have all the answers, please, send me a screenshot of you connected to my SDDM screen. Then, we can speak about how insecure this method can be.

If I’m in a cafeteria, the issue is the same, nobody would know me, and the time to solve it wouldn’t be a month. In fact, I wouldn’t leave my laptop just because I don’t want it to be stolen, but let’s suppose I’m a japanese (which are the only people I saw in a cafeteria leaving their computer, phone, and wallet upon the table and going to the toilet), let’s suppose I’m one of those 0.58% of Japaneses using Linux, you will have a few seconds to answer those questions. But remember, just 1 of 200 japaneses uses linux, so the probabilities to do this hack is, well, good luck with it.

And if I’m at home, discarding my wife, which already know my password, nobody enters my office, but let’s suppose she doesn’t know my password and tries to solve the answers, as she has plenty of time, well, she knows my mother’s second surname, but doesn’t know the plate of my first car’s plate or the name of my pet, she could find in the house a photo, a document with the number of the plate, why not, but if she (or anyone with physical access to my computer) tried to find out my pet’s name through social engineering, I would be alarmed, because as I said before, I have never had a pet, and I use that question as a trap. So, I think the only way to try to guess my secret question answers would be marring me, and sorry, I’m already taken

Errr, do you know anything about mobile phones, did you? And GPRS onwards? Home users use their phone for almost everything. Statcounter, year after year since 2017, shows android as the main operative system browsing the internet. We are in 2024, not in 2005, so it is ridiculous to think that home users walk around with their laptop on the bus to watch netflix or check their email.

ok, let’s put 3-secret question aside. What about a process to create a liveUSB which would reset the password for you. I don’t mean a full-featured liveUSB or any installation USB, but a tiny linux image (alpine linux?) which boots a utility to reset the user’s password and just that user’s password.

So, inside Plasma, under settings would be a liveUSB/liveCD wizard, and on SDDM would be the option to “reset the password” but asking you to insert the “restoration password media” and rebooting the computer into the USB. In fact, this would be SDDM-agnostic, and SDDM devs wouldn’t need to be involved, just the breeze SDDM theme should be modified. With this other method, the user could boot directly.

I could see this method more secure because SDDM has to do nothing but ensure rebooting the computer and modify the loader to boot from USB (back in time, grub was able to specify “next reboot” loading disk), but how to prevent that liveUSB could just reset the user password and not other user password? or avoid using it to reset the password of a stranger?

The thing I don’t like of this method because the user needs to have a USB dedicated to this, and keep it safe in a place for years… probably when the times come, that USB stick will be missing.

Never said that. I said “Laptops are more expensive than desk computers, so there are quite more computers than laptops out there.”. Yes, I know there are people who prefer a laptop over a desktop computer, and if their budget is low, they still prefer a crappy laptop to a PC with better features.

But again, I do not know how disk encryption solves the issue of a forgotten password. It does solve if an attacker has physical access to your computer, but that’s not the point of the whole discussion: reset the forgotten password. It would even get worse, as if the user doesn’t remember the encryption password, he won’t even be able to reset the forgotten password and the only option would be reinstall the OS.

A script, a program in C++, that’s on the developer’s hands, of course. I’m talking from a user’s point of view, who doesn’t care what is under he can see on the screen.

That’s exactly why I started this discussion, the only KDE developer who answered here, saw the point of the thread, and agree passwords are a nightmare.

Because you have all your data in their desktop, so you are full trusting them.

What makes you think I think sddm is part of KDE?

I can agree with you it should require human interaction. But for less experienced users, that human interaction could be answer those questions, as booting a liveUSB is perhaps too complex for them, and perhaps, for them the very exceptional corner case of risk of someone trying to guess their secret questions is worth the risk if they ever forget their password.

Anyway, take a look into the other proposal I did in the above message, what do you think?

I think it executes a scripts that already exist on the computer, like reboot or shutdown. Or maybe it communicates with systemctl directly, I don’t know.
But I am fairly certain it does NOT create a script of it’s own rebooting or shutting down the computer. xD

So then just use that “something that you won’t forget ever” as the password, problem solved

Sorry, I couldn’t resist depicting your masterly answer. xD (I hope it doesn’t violate any forum rule)

Extracted from sddm.conf.d/kde_settings.conf

HaltCommand=/usr/bin/systemctl poweroff
RebootCommand=/usr/bin/systemctl reboot

Interesting take.

Bitwarden has the interesting feature of locking you out if you forget your login, no hope for recovery.

For this reason I stated that the ‘Post-It’ is actually NOT a bad idea.

You don’t have to make a poster of it, you can - for example - put it in a safe place at home.

You can write it as a code.

You don’t have to write 'My Computer Password Is ‘m3Ti@Cent’.

An option could be given to look at/add a ‘password recovery option’.

You could be given the option to also write your own prompt… your own Question… so you could think of something unique to your circumstances… or write a phrase which will prompt you to correctly write/spell it as your passphrase/password.

I was simply stating that this is ok, but the action of physically writing down a password is, in no way, a weaker option unless you really are stupid enough to paste it on the wall in a public space.

Unless you setup 2fa, trusted member, password hint, etc, yes, and I think that is GREAT!
Probably one of the reasons they are one of the extremely few paswd managers that has not been hacked. It the only among the big ones.
I think you can get 10 of those “one time logins” too that bypasses 2fa in case of emergency.

I don’t have to care about any of that though, because I run my server locally never ever communicating with anything else. But that is for power users.
2fa and you are gucci. You can also save the login within the manager itself, grab your phone (where you have pin password instead) and check password there. So many possibilities with a password manager.
And tbh, imho, 2fa should be standard in 2024.

A reminder is actually not the worst idea though. A small text you can have accessible with a button on the login screen.

Long and low-signal thread, no promises that I’ll be back here after this comment.

Taking a step back from the actual method of authentication (3 questions, 2FA, trusted escrow, …), I perceive two general shortcomings that we might want to tackle:

1. We don’t have an interface for non-technical users to set up and select from various different authentication methods after initial distro installation.

The “Users” KCM provides a way to change passwords and register fingerprints, but any other PAM module has to be set up via terminal with sudo file editing. We could have tons of relevant auth methods (in fact, they do exist) and it wouldn’t help because one has to consult the elusive “administrator” or learn to read the Arch wiki.

2. We don’t have a concept of “use a non-password auth method to reset the password”.

Or more generically, “use one auth method to reconfigure the primary login auth method”.

Earlier comments are right about the fact that the resulting login security is the same as if both were marked as “sufficient”. What nobody has mentioned iirc is that the important side effect of increased break-in visibility compared to merely using the extra auth method for logging in directly.

• An attacker can’t get in without actually modifying the primary auth mechanism. They also can’t reset it to the old value, because they don’t know the password.

  • Online services send password change emails to all of your registered email address. Not being one of those, we could still show the time & date of the last password change on unsuccessful login attempts? Or otherwise inform the locked-out user that it probably wasn’t their own doing that they got locked out.

• In the simplest form of “using stuff we already support to start addressing this use case”, we could allow the user to define fingerprints (heck, even a series of fingerprints) not to unlock the system directly, but to change the password. Configurable via Users KCM, and safer than 3 questions for sure.

  • A later expansion could allow any newly supported auth method (i.e. PAM module settings) to be selected either as a primary login mechanism or as a reset fallback for the former.

That is a good idea!
Not that everybody has a fingerprint reader, but it would be a great way to keep security AND let user “reset” password.

There are also facial recognition with a webcam if we talk about those solutions, but that could start compromising security if a webcam could be activated without logging in. Spying on people and all that.

It’s a good idea, and for sure is more secure, but not everybody has a fingerprint reader, and fingerprints readers aren’t cheap and most of them aren’t even compatible with linux… finding one compatible with linux would be a hell to do for a home user, and buying a laptop which fingerprint reader is compatible with linux is a complete lottery. But I agree it would be great, not just to reset the password, but also to log in without a password.

Facial recognition through webcams are weak in the best of cases. Slimbook have done some improvements in this area, but it’s quite far from good. But all laptops have one, and most desktops also have one. The issue with webcam is that is pretty unsecure, perhaps even more than the 3-question method, as the Howdy developers themselves states.

image864×273 32.3 KB

I think the hint prompt can be useful, but I guess Microsoft removed it from Windows 11 because it could be even a greater danger than 3-question reset. I can imagine home users writing their password, or the beginning of the password, as it if were the hint.

The greater issue, IMO, is all the current PAM auth methods are just that, auth methods. A resetting password mechanism should be created from scratch: 3-questions, biometrics, email verification, 2FA… all of them with their pros and cons. The good part is, once one method is created (let’s say 3-question method), all the flow from KCM Users → reset method configuration → login manager reset option and reset form would be the same, just the reset method would change, and someone could develop a 2FA method, more secure but where the user would need to have a OTP client installed, a biometrics method, where the user needs the hardware, or why not, an email system verification method, where the user should only set their email address, but the complexity of the method would be even greater (set up something to generate a hash, then send the email, and then listen (how to configure the port without NAT and the like) for the http request when the user clicks on the email link. But this method, besides it could be a PITA to develop, needs the user having a phone at hand with that email address…

That’s why I suggested a method everyone could do… yet it has its own downsides and I do not know what implies from a developer’s point of view.

The reason I mentioned fingerprints is not because it solves the problem for everyone, but because it allows us to split the problem into distinct parts. One sub-problem would be to use PAM modules for authenticating password resets. Another sub-problem would be to support a greater variety of PAM modules. A third sub-problem would be to add new PAM modules if they’re a good match, like your 3-question preference.

By modularizing the problem into distinct parts, you get improvements for the regular password flow from two out of the three initiatives listed in the previous paragraph. The fact is that KDE is not a million-dollar corporation, so developer resources are scarce and barely any capable person will devote weeks or months on just one low-priority wishlist item that presents a whole bunch of technical and interaction design challenges.

We have fingerprint integration already, so this would allow us to punt on one of these problems for now and focus mainly on the rest, which is still necessary anyway and a considerable amount of work.

In order to get a feature like this implemented, we need to do two things:

1. Split the large project into smaller tasks with rewarding milestones.
2. Try to benefit as much as possible from existing code, and also try to kill several shortcomings with one stone if possible.

You have a grand vision of password reset flow. I have a grand vision of not having to assign lid switch and power button handling for two or three separate power states in System Settings. It’s important to have these visions.

But it’s also important to work towards small wins along the way. I got a partial Energy Saving redesign into System Settings, and the grand vision is still stuff for the future, indeed the vision is already changing by learning from other issues. None of us is going to get exactly what we want, however, we can all work towards something that’s better than the current state for a lot of people. Without finding common ground on successive partial milestones, none of this will get implemented rather than all of it verbatim.

I recommend finding a way to say yes to many of the good ideas that people have brought up in this thread.

Thanks a lot for your feedback.

Obviously, I don’t have any idea how this can be achieved from a developer point of view, and modularizing the issue into several subproblems sounds good to me, as I can see the complexity of the request. By tackling the issue by pieces or modules, that can be translated into future modifications in the auth mechanisms to reset the password, for instance, which would be great.

As long as they are on topic, I’m the first interested to say yes and discuss (to improve) any idea, of course.

Perhaps that is indeed the simplest solution. In the installer or OEM setup screen, where it asks you to set up a password for the user account, we (well, someone), just adds a line of text saying, “Choose a long but memorable phrase that you won’t ever forget”. Boom, problem, 95% solved.

This! It’s a rather common misconception that a strong password has to contain symbols, numbers and capital and small letters, where in fact a long memorable sentence about you all written in small case might be even stronger. As an example the sentence “I love my wife alice and my two kids bob and charlie” (296bits of entropy) is actually stronger compared to “H0wThef**kAmIsupp0sedT0RememberTh15?” (236bits of entropy)!

You can even have a sticker in your monitor with a hint for the first one “Who I love the most”

Sorry to post so many images, but this xkcd image from 2011 already told us that

image740×601 85.3 KB

Unfortunately, 13 years later, people (and most sysadmins) still prefer to force hard-to-rememeber passwords rather than longer ones.

On the last job I worked as sysadmin I just forced the password to be 14 characters long (and forbid to reuse the latest N passwords), and I told my users to do exactly the same: put sentences like “my mother is 86 years old” or "i like cheese and jam sandwiches”… still, people did forget their passwords after Xmas or holidays… in that job I had to reset passwords an average of 2 times a month, and there were 45 workers in total.

I have friends working on helpdesk support for a hospital with more than 5000 users, and they have 2 guys almost exclusively dedicated to reset user passwords, but AFAIK, in that hospital, they still enforce the typical 8 character minimun lenght, caps, numbers and special characters.

Passwords are a nightmare for lusers.

Computers are all Trojan Horses. All of em. Passwords are only a diversion to distract you from knowing that the entire reason for using it is to explore all that you are. Everyone and their extended family needs uncountable numbers of passwords to get their mail, make a purchase, go somewhere, it’s ridiculous. I use a password too, but it shouldn’t distract you from the reality who the worst data abusers are. Like all the ‘accidental’ identity problems. REALLY? They tell you everything is soooo secure, and then what happens? Well, at least I’ve got my old computer at home all locked up tight as a barrel. No one would ever think of zombying that , would they?
That never happens right?

Sure it’s a rabbit hole, but you have to watch that first step. Peace.

P.S. When you think of security on your computer, just think of a giant sodden sponge. Or perhaps sieve.

Wow this thread is something else… I wish I had malevolent’s patience. Just a FIY as it appears many of you haven’t touched Windows in a long time: this feature has been in Windows since 2018 and I have yet to hear anyone, non technical or expert, complain about it. If you want more people to use KDE or Linux in general, you will have to implement something like this, not an umpteenth broken Burn-my-windows desktop effect.

Sooner or later it would be added in all LINUX DE , like many things which were conisdered abomination before and have been added ,
There can be an option to setup- recovery questions if user wants to for all users who are not admin

Wow, I almost forgot this thread, I got so exhausted trying to explain the whole point of the feature request again, and again, and again, and again… that I eventually decided to give up. In fact, I have never forgotten my password, and if someday it would happen, I can reset it in a chroot environment in less than 5 minutes.

I just tried to suggest a functionality I think a modern OS must have at this point of the century, but it wasn’t very good received, or at some point I doubted of my level of English or the comprehensive level in English from other people, because that level of resistance and obtuseness can only indicate either that either the point was not understood, or that this board is full of trolls.

Yet, there was some movement here, although half a year later it doesn’t look like any KDE developer is going to move forward on this task. In the SDDM github nobody even bothered to answer.

So, I suppose the proposal will fall on deaf ears. At least until maybe someday some other desktop like Deepin or Gnome steps up and then everyone else joins the bandwagon. It seems clear that Plasma will not be the pioneer in this regard, which is completely legitimate, of course.

It saddens me a bit to see how proprietary solutions are becoming more user friendly every day and open source alternatives are stuck in complacency and their veteran users are more papist than the pope.

Long gone are the days when the Linux desktop innovated and the rest copied them. Windows and Mac desktops have copied a lot of things from the Linux desktop, but it seems that the other way around is a sacrilege, which I don’t understand, since proprietary desktops have very good things that would improve the user experience.

Anyway, I invite any moderator to close this thread if he thinks it is convenient, I already gave my point of view in his day and personally I have already said everything I had to say, so I will unsubscribe for the futility of continuing receiving notifications of something that clearly will not flourish.