RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v6]
Sean Mullan
mullan at openjdk.org
Fri Sep 26 16:53:19 UTC 2025
On Fri, 26 Sep 2025 16:36:05 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/util/Password.java line 77:
>>
>>> 75: // will be silently consumed without echoing to the screen.
>>> 76: System.err.print("[Warning: Console not available." +
>>> 77: " The entered password might be echoed.] ");
>>
>> s/might/may/
>>
>> I wonder if "echoed" is generally understood by most users. Should we be more clear and say something like " The password entered may be visible on the screen"?
>>
>> Also, consider putting "Warning" in all caps to make it more significant. Also consider breaking into 2 lines, so the second part is not at the end of a long line, ex:
>>
>> WARNING: Console not available
>> WARNING: The password entered may be visible on the screen
>
> This text appears after the prompt (which is printed by the caller) and I deliberately make it short so everything is still on the same line.
>
> Enter keystore password: [Warning: Console not available. The entered password might be echoed.] password
>
> Shall I just change "echoed" to "visible"? I'm OK with "WARNING".
>
> *Update*: Maybe there is no need to say "Console not available"? Also no need to duplicate "password":
>
> Enter keystore password: [WARNING: Input may be visible on screen] password
Last line looks good.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2382933352
More information about the security-dev
mailing list