This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author steven.daprano
Recipients matanya.stroh, r.david.murray, steven.daprano, stevoisiak
Date 2019-06-06.03:14:56
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1559790896.72.0.519682154379.issue32884@roundup.psfhosted.org>
In-reply-to
Content 
See also #36566. (Thanks Cheryl.)

I think the usability improvement for this far outweigh the decrease in security.

The days where somebody looking over your shoulder watching you type your password was the major threat are long gone. Hiding the length of the password against a shoulder-surfing adversary is so-1970s :-)

For old-school Unix types we ought to default to hiding the password. But I'm +1 in allowing developers to choose to trade off a tiny decrease in security against a major increase in usability.

The bottom line is that if you have a weak password, hiding the length won't save you; if you have a strong password, hiding the length doesn't add any appreciable difficulty to the attacker.
History
Date User Action Args
2019-06-06 03:14:56steven.dapranosetrecipients: + steven.daprano, r.david.murray, matanya.stroh, stevoisiak
2019-06-06 03:14:56steven.dapranosetmessageid: <1559790896.72.0.519682154379.issue32884@roundup.psfhosted.org>
2019-06-06 03:14:56steven.dapranolinkissue32884 messages
2019-06-06 03:14:56steven.dapranocreate