When calling getpass.getpass(), certain circumstances cause it to fallback to getpass.fallback_getpass, such as when swapping out sys.stdin for another object in a unit test.

In such a circumstance, fallback_getpass may be called with stream=None when getpass itself was called without a stream.  fallback_getpass needs a stream to write the "Warning: Password input may be echoed" warning to, and reasonably chooses stderr.  However, this choice persists down into getpass._raw_input, where the user is then shown the password prompt on stderr as well.  Instead of on stderr, the user should get the password prompt on stdout.

tl;dr: Some calls to getpass.getpass result in a password prompt on stderr.

Bad behavior: password prompt displayed over stderr.
Expected behavior: password prompt should be on stdout.

Found in 3.4, looks like it's the same in 3.5.

I will attach a patch in a few moments, after I get my dev environment sorted out.

Patch attached.

I'm unsure whether forcing the warning message to stderr is the right choice here, but it seems unlikely that users would want their warning and password prompt on the same stream.  The alternative here would be a second kwarg, but that seems overkill.

Why do you think using stderr is bad behaviour, or that a user would want the prompt and warning on different streams? As far as I can tell, the documentation already says that stderr is used by default, and there are other unpatched references to sys.stderr left.

See also Issue 1927, where Serhiy wants to change input() to always prompt to stderr rather than stdout.

stdout is much more likely to be redirected than stderr, so falling back to stderr makes more sense than falling back to stdout.  In the normal case, the prompt is shown regardless of whether stdout is redirected, and we're trying our best to replicate that in the fallback.