Message 339803 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	stevoisiak
Recipients	matanya.stroh, r.david.murray, stevoisiak
Date	2019-04-09.19:00:04
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1554836405.0.0.288850383089.issue32884@roundup.psfhosted.org>
In-reply-to

Content
@matanya.stroh: Don't forget to erase the asterisks if the user hits backspace. ``` def win_getpass(prompt='Password: ', stream=None, show_asterisks=False): """Prompt for password with echo off, using Windows getch().""" if sys.stdin is not sys.__stdin__: return fallback_getpass(prompt, stream) for c in prompt: msvcrt.putwch(c) pw = "" while 1: c = msvcrt.getwch() if c == '\r' or c == '\n': break if c == '\003': raise KeyboardInterrupt if c == '\b': if len(pw) > 0: pw = pw[:-1] msvcrt.putwch('\b') msvcrt.putwch(' ') msvcrt.putwch('\b') else: pw = pw + c if show_asterisks: msvcrt.putwch('*') msvcrt.putwch('\r') msvcrt.putwch('\n') return pw ``` Alternatively, could let the user define the masking character, similar to Tkinter's Entry widget. ``` def win_getpass(prompt='Password: ', stream=None, mask=''): """Prompt for password with echo off, using Windows getch().""" if sys.stdin is not sys.__stdin__: return fallback_getpass(prompt, stream) if len(mask) > 1: raise TypeError('mask argument must be a zero- or one-character str') for c in prompt: msvcrt.putwch(c) pw = "" while 1: c = msvcrt.getwch() if c == '\r' or c == '\n': break if c == '\003': raise KeyboardInterrupt if c == '\b': if len(pw) > 0: pw = pw[:-1] msvcrt.putwch('\b') msvcrt.putwch(' ') msvcrt.putwch('\b') else: pw = pw + c if mask: msvcrt.putwch(mask) msvcrt.putwch('\r') msvcrt.putwch('\n') return pw ``` I'm in favor of supporting masking. While it does reveal the password length, it's an accessibility feature many users have come to expect. I'd rather have this in the standard library than have developers implement their own custom, potentially insecure methods for password input.

@matanya.stroh: Don't forget to erase the asterisks if the user hits backspace.

```
def win_getpass(prompt='Password: ', stream=None, show_asterisks=False):
    """Prompt for password with echo off, using Windows getch()."""
    if sys.stdin is not sys.__stdin__:
        return fallback_getpass(prompt, stream)

    for c in prompt:
        msvcrt.putwch(c)
    pw = ""
    while 1:
        c = msvcrt.getwch()
        if c == '\r' or c == '\n':
            break
        if c == '\003':
            raise KeyboardInterrupt
        if c == '\b':
            if len(pw) > 0:
                pw = pw[:-1]
                msvcrt.putwch('\b')
                msvcrt.putwch(' ')
                msvcrt.putwch('\b')
        else:
            pw = pw + c
            if show_asterisks:
                msvcrt.putwch('*')
    msvcrt.putwch('\r')
    msvcrt.putwch('\n')
    return pw
```

Alternatively, could let the user define the masking character, similar to Tkinter's Entry widget.

```
def win_getpass(prompt='Password: ', stream=None, mask=''):
    """Prompt for password with echo off, using Windows getch()."""
    if sys.stdin is not sys.__stdin__:
        return fallback_getpass(prompt, stream)
    if len(mask) > 1:
        raise TypeError('mask argument must be a zero- or one-character str')

    for c in prompt:
        msvcrt.putwch(c)
    pw = ""
    while 1:
        c = msvcrt.getwch()
        if c == '\r' or c == '\n':
            break
        if c == '\003':
            raise KeyboardInterrupt
        if c == '\b':
            if len(pw) > 0:
                pw = pw[:-1]
                msvcrt.putwch('\b')
                msvcrt.putwch(' ')
                msvcrt.putwch('\b')
        else:
            pw = pw + c
            if mask:
                msvcrt.putwch(mask)
    msvcrt.putwch('\r')
    msvcrt.putwch('\n')
    return pw
```

I'm in favor of supporting masking. While it does reveal the password length, it's an accessibility feature many users have come to expect.

I'd rather have this in the standard library than have developers implement their own custom, potentially insecure methods for password input.

History
Date	User	Action	Args
2019-04-09 19:00:05	stevoisiak	set	recipients: + stevoisiak, r.david.murray, matanya.stroh
2019-04-09 19:00:04	stevoisiak	set	messageid: <1554836405.0.0.288850383089.issue32884@roundup.psfhosted.org>
2019-04-09 19:00:04	stevoisiak	link	issue32884 messages
2019-04-09 19:00:04	stevoisiak	create