Rust-based sudo to show asterisks by default, exposing password length
Rust-based sudo (sudo-rs) will show asterisks by default when typing passwords, revealing password length; the change is slated for Ubuntu 26.04 in April and has sparked debate.
sudo-rs, the Rust-based implementation of sudo, will start displaying asterisks by default when users enter passwords, a behavior change that can reveal password length to anyone looking over a shoulder. Ubuntu's inclusion plan names Ubuntu 26.04 for the change and schedules it to land in the April release, making the adjustment unavoidable for systems upgraded to that distribution.
The change in sudo-rs replaces the current concealed entry method with visible asterisks while typing, which developers say improves the user experience for interactive sessions. Developers summarize the trade-off by calling the security downside negligible compared to the improved feedback that asterisks provide during password entry.
Security implications center on the exposed password length. Showing asterisks converts a previously opaque input into a reproducible signal - the exact number of characters typed becomes visible. That detail has triggered a sharp debate within Rust-focused communities and among Ubuntu users, and the conversation intensified on February 27, 2026 as the April timeline became clear.
System administrators and developers who manage desktops or servers on Ubuntu 26.04 need to evaluate the change before rolling out upgrades. Because Ubuntu 26.04 is scheduled for April, operators have a window to test sudo-rs behavior in staging environments and to document whether the visible-length trade-off is acceptable for their threat model and compliance requirements.
The developer argument that the security downside is negligible leaves a narrow policy choice for operators: accept the improved interactive feedback in April's Ubuntu 26.04, or hold upgrades and delay adoption until alternative builds or configuration options appear. The Rust and Ubuntu discussion on February 27, 2026 suggests maintainers may still respond to deployment feedback before the April release.
Expect practical follow-up over the next six weeks as Ubuntu 26.04 approaches in April. The specific change in sudo-rs - showing asterisks by default and thereby exposing password length - is concrete and scheduled, and the community debate that erupted on February 27, 2026 will determine whether developers stick with the plan or add opt-outs before the distribution ships.
Know something we missed? Have a correction or additional information?
Submit a Tip
