-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Dec 20, 2017 at 10:54:25AM +0000, Curt wrote: > On 2017-12-20, <to...@tuxteam.de> <to...@tuxteam.de> wrote: > > > > On Tue, Dec 19, 2017 at 02:07:34PM -0800, Don Armstrong wrote: > >> On Wed, 20 Dec 2017, root kea wrote: > >> > I want *default* password agent to be consistent with traditional *Nix > >> > password handling. And that is echoing NOTHING at all.
[...] > > Yes, the good ol' click-to-focus culture war, I know ;-P > > > I wonder if the suppression of the echoed asterisks on the screen > obviates the scenario of the malevolent bystander counting the number of > characters in the OP's password. > > Perhaps his keystrokes make no noise because he has made some provision > to suppress the telltale auditory signals emitted by his keyboard, but > I'm assuming our malevolent bystander (with his back, cleverly, to the > OP's terminal) has his smartphone recording clicks. > > But then again in the end the OP invokes "tradition," so all bets are > effectively off. I suppose he could argue that at least one attack > vector has been eliminated once he stops seeing stars, although the > real-world utility of knowing the length of a high-entropy password > requires demonstration. I think the most important thing here is "give the user the possibility to use the software as (s)he pleases" vs. "we know better than you: suck it up". Granted, I'm biased here. "Just tradition" is perhaps another way to frame this conflict, may be with the other bias :-) Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlo6S1MACgkQBcgs9XrR2kZhsACdHF+ZfxdHs8R7mw4CxfKjI3Ix BdMAn12NgHJdEysOR1hGX16Kyd8v/YI9 =v6+R -----END PGP SIGNATURE-----
