How to Show Asterisks While Typing Sudo Password in Linux

Most applications normally display a feedback using asterisks (*******) when a user is typing a password, but on the Linux terminal, when a normal user runs the sudo command to gain super user privileges, he/she is asked for a password, but no visual feedback is seen by the user while typing the password.

In this article, we will show how to display asterisks as feedback when you type passwords in the terminal in Linux.

Take a look at the following screen shot, here the user tecmint has invoked the sudo command to install the vim text editor in CentOS 7, but there is no visual feedback as the password is typed (in this case the password has already been entered):

$ sudo yum install vim
No Sudo Password Shown
No Sudo Password Shown

You can enable the password feedback feature in /etc/sudoers file, but first create a backup of the file, then open it for editing using the visudo command.

$ sudo cp /etc/sudoers /etc/sudoers.bak
$ sudo visudo 

Search for the following line.

Defaults env_reset

And append pwfeedback to it, so that it looks like this.

Defaults env_reset,pwfeedback
Configure Sudoers File
Configure Sudoers File

Now press Esc key and type :wq to save and close the file. But if you are using nano editor, save the file by hitting “Ctrl+x” and then “y” followed by “ENTER” to close it.

Then run the command below to reset your terminal for the above changes to start working.

$ reset

That’s it, now you should be able to see a visual feedback (****) every time when you typing a password on the terminal, as shown in the following screen shot.

$ sudo yum update
Visible Sudo Password
Visible Sudo Password

You might also like to read these following related articles.

  1. 10 Useful Sudoers Configurations for Setting ‘sudo’ in Linux
  2. How to Run ‘sudo’ Command Without Entering a Password in Linux
  3. Let Sudo Insult You When You Enter Incorrect Password
  4. How to Run Shell Scripts with Sudo Command in Linux

If you have any Linux terminal tips or tricks to share with us, use the comment section below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

22 Comments

Leave a Reply
  1. Some people say that having an indicator when typing the password is a risk, perhaps they’re right, but having no indication at all can also be a risk. Scenario: you’re typing in your password and getting no feedback as expected, you press enter and … nothing happens. Surprise! It turns out another input field on another screen had to focus, and your password is now plaintext in your favorite discord channel. Which is the bigger risk?

    Reply
  2. While the asterisk thing is sometimes justified, for the most part it is just a nuisance. What is needed is the capability to optionally disable it.

    Reply
  3. Looked this up for a bit to see how it worked, turns out you’re discouraged to use env_reset. This is why when I looked into my sudoers file everything was achieved instead via env_keep += "".

    You can just choose to put Default pwfeedback as its own line probably pretty much anywhere in the sudoers file.

    Reply
    • The point was to do it WITHOUT modifying sudoers!

      Many places (large places) have very tight control on the sudoers, and rightly so.
      Modifying it for your personal gain is not allowed.

      Also if you have 700+ systems each with their own sudoers setup, you don’t want to be changing it. I distribute my home and it then works on all the systems.

      My technique using the SUDO_ASKPASS hook (with sudo -A option) does not require changes to the system level configuration, it works at a personal level! I also do things to allow me to setup some environment root shell via sudo (for things like X windows).

      Again more personal things you don’t really want set globally.

      Reply
  4. It is possible to get sudo to display stars for password entry WITHOUT modifying the sudo configuration! You first need a program that can read a password while displaying stars…

    For example under most Linux computers you can use systemd-ask-password, next add it to an environment variable:

    # SUDO_ASKPASS=/usr/bin/systemd-ask-password
    

    Now you can use that password input program.

    $ sudo -A command_to_run
    

    OR do it all in the one command (or shell alias)…

    # SUDO_ASKPASS=/usr/bin/systemd-ask-password sudo -A  command_to_run
    

    Instead of systemd-ask-password you can also DIY a program to do the same such as described here, and the final resulting shell script here.

    This script will fall back to using systemd-ask-password, if available while also fixing some annoyances with that command to do with TTY settings when interrupted.

    Reply
    • @anthony

      You will have to modify sudo configuration as shown, to the best of our knowledge. Once we find a way to “get sudo to display stars for password entry WITHOUT modifying the sudo configuration”, we will let you know. Thanks for the feedback.

      Reply
      • No configuration changes needed! The echo stars is handled by the external password reader, then passed to sudo.
        I use this technique all the time on Solaris as well as Redhat v5 thru v7.

        Reply
  5. Good job guys. Added this and “Insults” to sudo while I was at it. :)

    Also, Aaron’s comments regarding the potential security risk are spot on. Not everyone believes there’s a cache of password thieves lurking over their shoulders. Virtually every cell phone app and webpage has key-for-key asterisks as feedback when typing your password. This just adds uniformity to the shell. Besides. it’s Linux – you can configure your Linux any way you like,

    Reply
  6. It might be a good idea for you to mention WHY sudo doesn’t do this. Showing asterisks is a security risk, it allows someone (over the shoulder, or screenshot, etc) to know the number of characters you entered, which allows you to reduce the number of brute force attempts.

    Reply
    • @Caleb

      I suppose you are sharing the same concern as @RTR, in case you are operating computers in security critical environments then you can leave this feature turned off, especially where there are strict security policies in place against such practices. But i believe it is useful on personal computers or home work stations.

      Reply
    • Yes there are reasons for not showing asterisks. And there are also ways to still get keypress feedback without showing how may characters you typed. It all depends on how you set up your “askpass” program.

      I listed some ideas for this in my study text file passwd_input.txt.

      And look for “WARNING about using echoed stars…

      Here are some ideas…

      * Output a random number of stars with each character input.
      But you may need to keep track of the number for ‘deletes‘.

      * Show a ascii-art animation (a random muber of steps) for each key…
      + Cycle a spinning line, \ | / - or pulsing star . + * + .
      + or a short bar with a star bounce back and forth
      This does not need to keep track for deletions as you just continue the
      animation when you get a delete or reset line signal.

      * Allow the use to turn on no-echo by pressing delete at the start
      systemd-ask-password” actually does this, printing “(no echo)”.

      Reply
  7. What for? To make sure that nobody is going to be able to look over your shoulder and lift your password? There are far simpler ways of thwarting this particular attack vector. This is an idea that looked virtuous originally, that was never that great, that probably creates more issues than it solves, and that should be ditched, once and for all.

    Reply
    • @RTR

      Good concern, but i believe as long as the password is not seen, there should really be some kind of visual feedback for a user to know the length of a password they have typed, particularly for long passwords.

      However, if you are working in security critical environments then you can disable this feature, especially where there are strict security policies in place against such practices.

      Reply
  8. Use nano much? “Ctrl+x” and “Ctrl + y” does not save a file with nano. “Ctrl+x” then “y” followed by “ENTER” does.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.