| blob | adfbc2f717dda5737ba0de0f67b5c43319fa4396 |
1 <!-- subject: Pro tip: Start your passwords with <kbd>/!</kbd> -->
2 <!-- date: 2021-04-11 03:01:15 -->
3 <!-- tags: password -->
4 <!-- categories: Techblog -->
6 <p>Anyone who uses a screen locker surely can recall a situation where they
7 approached their computer and started typing their password to unlock it even
8 though it was never locked. Even if the machine is configured to lock
9 automatically after a period of inactivity, there may be situations when power
10 saving blanks the monitor even before the automatic locking happens.
12 <p>If one’s lucky, they realise their mistake in time before hitting Return in
13 a chat window. It’s not uncommon however that one ends with the password
14 blasted into ether over IRC or Google Docs; lazy people might ignore the
15 secret getting saved in their shell history file but even that should
16 facilitate, often annoying, password change.
18 <p>What if I told you there’s a way to avoid those problems? A one simple trick
19 which will eliminated at least some forms of possible leaks. Simply prefix
22 <!-- FULL -->
27 <p>Lines starting with a slash are treated as commands by many — though not
28 all — chat applications. This originated in IRC so virtually all IRC clients
29 will do this, but the same feature was adopted by many other programs such as
30 Element or Slack. When trying to send a password beginning with a slash onto
31 a channel or private conversation, the application will refuse to do anything
32 reporting an unknown command. For example:
34 <pre>
37 [(status)] /foobarbaz
38 </pre>
40 <p>Of course even then the protection won’t work if there’s already some text in
41 client’s input field; perhaps because one started writing something to send to
42 the channel but got interrupted.
47 <p>Exclamation mark meanwhile has a special meaning in popular interactive
48 shells (by which I mean bash since I’m too lazy to actually test any
49 other shells). When present the shell will attempt a history expansion (based
50 on an arcane grammar that I reckon no one actually remembers). If no
51 expansion is found, rather than executing the command (and thus sending it
52 into possibly world-readable history file) the shell will complain. You can
54 shell:
56 <pre>
57 $ echo test
58 test
59 $ echo !foobarbaz
60 bash: !foobarbaz: event not found
62 $ history | tail -n2
63 6 echo test
64 7 history | tail -n2
65 </pre>
67 <p>This doesn’t always work. For example, if a non-letter follows the
68 exclamation mark the expansion will likely succeed.
70 again talking bash here but I assume other shells worth their weight in salt
71 have similar option). When it’s active, executing commands including a bang
72 requires a confirmation after the history expansion happens. In other words,
73 pressing Return key once won’t execute them. For example:
75 <pre>
76 $ shopt -s histverify
77 $ echo test
78 test
79 $ echo !$foobarbaz
81 $ history | tail -n2
82 8 echo test
83 9 history | tail -n2
84 </pre>
90 already mentioned chat applications which don’t recognise slash as a command
91 prefix, but there are also tools for collaborative editing such as Google Docs
92 which broadcast entered text as soon as a letter is pressed on the keyboard.
93 (The former issue may be solved by
95 needs).
98 least some instances of accidental credentials exposure. Since there’s
99 virtually no cost in adopting this policy, why not do it?