As in everything, it depends on the situation: https://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html The Security Now podcast has also expressed doubt on the practice in common cases. My take is that a few flags to control the behavior with convenient defaults perhaps, show_text=True, display_char=None, display_delay=0, and a Ctrl-T keybinding to toggle (as mentioned elsewhere). A good case could also be made for the most secure defaults instead. As long as the toggle keybinding were available it wouldn't be a great burden. This is a console-only solution, correct? So, Ctrl/Alt keys should be available. -Mike On 2016-01-13 02:04, Steven D'Aprano wrote:
I don't know... I'm about 35% convinced that obfuscating the password is just security theatre. I'm not sure that "shoulder surfing" of passwords is a significant threat.
But the other 65% tells me that we should continue to obfuscate.