[Python-ideas] Password masking for getpass.getpass

M.-A. Lemburg mal at egenix.com
Wed Jan 13 05:36:07 EST 2016 

On 13.01.2016 04:07, Ethan Furman wrote:
> On 01/12/2016 06:45 PM, Oleg Broytman wrote:
>> On Wed, Jan 13, 2016 at 01:22:02PM +1100, Chris Angelico wrote:
>>> On Wed, Jan 13, 2016 at 1:17 PM, Oleg Broytman wrote:
>>>> On Wed, Jan 13, 2016 at 12:54:14PM +1100, Steven D'Aprano wrote:
> 
>>>>> The old convention on Linux and Unix is to just suppress all feedback,
>>>>> but even on Linux GUI applications normally show bullets ??? or asterisks.
>>>>
>>>>     Modern GUIs show the real character for a short period of time and
>>>> then replace it with an asterisk.
>>>
>>> Ugh. I've only seen that on mobile devices, not on any desktop GUI,
>>
>>     On desktop (Windows) I saw a password entry with a checkbox to switch
>> between real characters and asterisks.
> 
> While that can be handy, it is not the same as displaying each character as it is typed and then
> covering it with something else.  I agree with ChrisA and hope that never becomes the convention on
> non-mobile devices.

At least in Windows GUIs, the password field only provides a
very thin layer to obfuscate the underlying password text:

http://www.nirsoft.net/utils/bullets_password_view.html

More secure systems always show 8 bullets regardless of how
many characters the password actually has and only provide
limited feedback when hitting a key without allowing to
see the number of chars in the password.

Not showing anything is certainly more secure than any other
method of providing user feedback, so I agree that we should
not make this the default.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Jan 13 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
                      http://www.malemburg.com/

More information about the Python-ideas mailing list