RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v6]
Sean Mullan
mullan at openjdk.org
Fri Sep 26 13:50:53 UTC 2025
On Thu, 25 Sep 2025 16:49:18 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Allow password hiding even if there is no `System.console`. A manual test is included.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> add a warning for non-console interactive UI
src/java.base/share/classes/sun/security/util/Password.java line 77:
> 75: // will be silently consumed without echoing to the screen.
> 76: System.err.print("[Warning: Console not available." +
> 77: " The entered password might be echoed.] ");
s/might/may/
I wonder if "echoed" is generally understood by most users. Should we be more clear and say something like " The password entered may be visible on the screen"?
Also, consider putting "Warning" in all caps to make it more significant. Also consider breaking into 2 lines, so the second part is not at the end of a long line, ex:
WARNING: Console not available
WARNING: The password entered may be visible on the screen
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2382485258
More information about the security-dev
mailing list