Display feedback while typing password in terminal.

Joseph Sinclair plug-discussion at stcaz.net
Mon Sep 9 19:45:14 MST 2013 

Changing it to echo the output would, in fact, break a TON of things, particularly if getpass() were changed, since a lot of calls like that don't actually have an attached terminal (we programmers do weird things sometimes).  Even passwd is used in situations where echo would break scripts and programs written with somewhat delicate assumptions about output.

The primary reason the password prompts don't echo input is precisely because knowing the exact length of a password is a huge advantage when trying to break into a system, and the echo could easily be picked up via network sniffers(packet count) or by various forms of offline or social attack, ranging from simple shoulder surfing to hacked wifi security cameras.

Adding the echo gets floated as an idea every now and then, and it usually results in a copy/paste of the same, quite vigorously unpleasant, response used in the past.

It's not too hard (as noted in other places) to add the visual feedback for the user if you're writing a program or GUI interface.
If the user is using passwd directly, they should be savvy enough to know it won't echo (or the admin can wrap passwd as suggested elsewhere).

==Joseph++

On 09/09/2013 07:42 AM, Dazed_75 wrote:
> "Why is it not seeing my typing?" is one of the most frequest questions I
> get from newbies though.  Makes me wonder if it would break anything for
> anyone if it were changes upstream to echo each input character with an
> asterisk.  Any ideas if it would?  Would it make a difference if passwd or
> getpass() were changed>  Would it be a security issue in any way?
> 
> 
> On Mon, Sep 9, 2013 at 6:49 AM, Shawn Badger <shawn at badger.pro> wrote:
> 
>> Thanks Brian,  i was hoping it wouldn't be that deep of a change, I think
>> my users will just have to get used to it since I'm not thinking it a big
>> enough problem to change the app. It is always good to be able to have the
>> choice to though :)
>>
>>
>>
>>
>>
>> On Fri, Sep 6, 2013 at 8:51 AM, Brian Cluff <brian at snaptek.com> wrote:
>>
>>> I was just reading though the source for passwd and it looks like there
>>> isn't a way to do it without rewriting parts of passwd to not use the
>>> getpass function, or rewriting getpass itself if you want everything to
>>> output the stars.
>>>
>>>         The  getpass()  function  opens  /dev/tty (the controlling
>>>         terminal of the process), outputs the string prompt, turns off
>>>         echoing, reads one line (the "password"), restores the terminal
>>>         state and closes /dev/tty again.
>>>
>>> Brian Cluff
>>>
>>>
>>> On 09/06/2013 08:13 AM, Shawn Badger wrote:
>>>
>>>> Thanks Larry!!
>>>> I have found several articles on how to do form within sudo, but nothing
>>>> on how to get passwd or bash to do it so far.
>>>>
>>>>
>>>> On Thu, Sep 5, 2013 at 4:29 PM, Dazed_75 <lthielster at gmail.com
>>>> <mailto:lthielster at gmail.com>> wrote:
>>>>
>>>>     Oops!  I misread your question.  That was for the part you already
>>>> know.
>>>>
>>>>
>>>>     On Thu, Sep 5, 2013 at 4:27 PM, Dazed_75 <lthielster at gmail.com
>>>>     <mailto:lthielster at gmail.com>> wrote:
>>>>
>>>>         http://www.maketecheasier.com/**quick-tips/show-password-**
>>>> asterisks-in-terminal<http://www.maketecheasier.com/quick-tips/show-password-asterisks-in-terminal>
>>>>
>>>>         worked for me :)
>>>>
>>>>
>>>>         On Thu, Sep 5, 2013 at 12:55 PM, Shawn Badger <shawn at badger.pro
>>>>         <mailto:shawn at badger.pro>> wrote:
>>>>
>>>>             I have how to display password feed back while using sudo,
>>>>             but Google has failed me on how to display feedback while
>>>>             running passwd in a terminal session.  Does anyone know if
>>>>             the pwfeedback environment setting works outside of sudoers
>>>>             file or an equivalent setting for the passwd command?
>>>>
>>>>
>>>>
>>>>             ------------------------------**---------------------
>>>>             PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.**
>>>> org <PLUG-discuss at lists.phxlinux.org>
>>>>             <mailto:PLUG-discuss at lists.**phxlinux.org<PLUG-discuss at lists.phxlinux.org>
>>>>>
>>>>
>>>>             To subscribe, unsubscribe, or to change your mail settings:
>>>>             http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>
>>>>
>>>>
>>>>
>>>>         --
>>>>         Dazed_75 a.k.a. Larry
>>>>
>>>>         Please protect my address like I protect yours. When sending
>>>>         messages to multiple recipients, use the BCC: (Blind carbon
>>>>         copy). Remove addresses from a forwarded message body before
>>>>         clicking Send.
>>>>
>>>>
>>>>
>>>>
>>>>     --
>>>>     Dazed_75 a.k.a. Larry
>>>>
>>>>     Please protect my address like I protect yours. When sending
>>>>     messages to multiple recipients, use the BCC: (Blind carbon copy).
>>>>     Remove addresses from a forwarded message body before clicking Send.
>>>>
>>>>     ------------------------------**---------------------
>>>>     PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.**org<PLUG-discuss at lists.phxlinux.org>
>>>>     <mailto:PLUG-discuss at lists.**phxlinux.org<PLUG-discuss at lists.phxlinux.org>
>>>>>
>>>>
>>>>     To subscribe, unsubscribe, or to change your mail settings:
>>>>     http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------**---------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.**org<PLUG-discuss at lists.phxlinux.org>
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>
>>>>  ------------------------------**---------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.**org<PLUG-discuss at lists.phxlinux.org>
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
> 
> 
> 
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130909/5fe0bbfd/attachment.pgp>

More information about the PLUG-discuss mailing list