[Python-ideas] Password masking for getpass.getpass
Mike Miller
python-ideas at mgmiller.net
Wed Jan 13 12:56:44 EST 2016
As in everything, it depends on the situation:
https://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
The Security Now podcast has also expressed doubt on the practice in common cases.
My take is that a few flags to control the behavior with convenient defaults
perhaps, show_text=True, display_char=None, display_delay=0, and a Ctrl-T
keybinding to toggle (as mentioned elsewhere).
A good case could also be made for the most secure defaults instead. As long as
the toggle keybinding were available it wouldn't be a great burden. This is a
console-only solution, correct? So, Ctrl/Alt keys should be available.
-Mike
On 2016-01-13 02:04, Steven D'Aprano wrote:
> I don't know... I'm about 35% convinced that obfuscating the password is
> just security theatre. I'm not sure that "shoulder surfing" of passwords
> is a significant threat.
>
> But the other 65% tells me that we should continue to obfuscate.
>
More information about the Python-ideas
mailing list