JDK-4703755 : keytool displays passwords as they are entered
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.0
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic,solaris_9,windows_nt
  • CPU: generic,x86
  • Submitted: 2002-06-18
  • Updated: 2004-11-17
  • Resolved: 2004-11-17
Related Reports
Duplicate :  
JDK-4713591 - keytool should not echo keystore password
Duplicate :  
JDK-4050435 - Improved interactive console I/O (password prompting, line editing)
Description
The keytool displays passwords as they are entered. This
is considered very bad practice from a security point of view.

Example:
# keytool -import -alias patchsigning -file /opt/SUNWppro/etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password:  foobar
                          ^^^^^^

# java -version
java version "1.4.0_00"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0_00-b05)
Java HotSpot(TM) Client VM (build 1.4.0_00-b05, mixed mode)
# pkginfo -l SUNWj3rt
   PKGINST:  SUNWj3rt
      NAME:  J2SDK 1.4 runtime environment
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  1.4.0,REV=2002.03.19.23.51
   BASEDIR:  /usr
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Java virtual machine and core class libraries
    PSTAMP:  exactvm-sm19235127
  INSTDATE:  May 06 2002 16:14
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:      644 installed pathnames
                  14 shared pathnames
                  65 directories
                  60 executables
              107109 blocks used (approx)
# uname -a
SunOS sunhsc 5.9 Generic sun4u sparc SUNW,Ultra-60
Comments
EVALUATION ###@###.### 2002-06-18 We agree that it would be better not to echo the password back to avoid the "peeking over the shoulder" attacks. But currently there is no platform independent way to do this in Java. This is one of the top RFEs filed at http://developer.java.sun.com/developer/bugParade/top25rfes.html (see 4050435). So I'm changing this to "rfe". Once rfe 4050435 is implemented, we'll improve password handling in keytool.
11-06-2004
SUGGESTED FIX Use something with the functionality of getpass(3C) or getpassphrase(3C) to obtain the password from the user.
11-06-2004