GoKawiilUbuntu & Open Source
Starting with the upcoming LTS release, every keystroke at a sudo password prompt will echo an asterisk — a small UX fix that has ignited one of Linux’s fiercest debates in years.
For more than four decades, typing a password after a sudo prompt in a Linux terminal produced nothing visible on screen — no asterisks, no dots, no moving cursor. The blank void was intentional: a guard against “shoulder surfing,” the practice of counting keystrokes to guess a password’s length. Ubuntu 26.04 LTS, codenamed Resolute Raccoon and due on April 23, 2026, changes that.
“Security is theoretically worse since password lengths are exposed to people watching your screen, but this is an infinitesimal benefit far outweighed by the UX issue.” — sudo-rs upstream commit message, enabling pwfeedback by default
user@ubuntu — bash before user@ubuntu:~$ sudo apt update [sudo] password for user:
after user@ubuntu:~$ sudo apt update [sudo] password for user: ********
A History Written in Silence
The original sudo utility was created in 1980 by Bob Coggeshall and Cliff Spencer at the State University of New York at Buffalo. Its silent password prompt was a deliberate security decision from an era when terminals were shared, physical screens were wide-open, and the threat model squarely included people standing behind you counting keystrokes. That behaviour survived — untouched — through nearly half a century of Linux distributions.
The tradition began to crack when Linux Mint enabled visual password feedback by default for its own sudo configuration, quietly demonstrating that the sky would not fall. Still, mainstream distributions, Ubuntu among them, maintained the classic silent prompt.
Enter sudo-rs: Rust Rewrites the Rules
... continue reading