[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[Rémi Lapeyre]

Change by Rémi Lapeyre :


--
nosy: +remi.lapeyre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[Steven D'Aprano]

Steven D'Aprano  added the comment:

See also #36566. (Thanks Cheryl.)

I think the usability improvement for this far outweigh the decrease in 
security.

The days where somebody looking over your shoulder watching you type your 
password was the major threat are long gone. Hiding the length of the password 
against a shoulder-surfing adversary is so-1970s :-)

For old-school Unix types we ought to default to hiding the password. But I'm 
+1 in allowing developers to choose to trade off a tiny decrease in security 
against a major increase in usability.

The bottom line is that if you have a weak password, hiding the length won't 
save you; if you have a strong password, hiding the length doesn't add any 
appreciable difficulty to the attacker.

--
nosy: +steven.daprano
versions: +Python 3.9 -Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[Steven Vascellaro]

Steven Vascellaro  added the comment:

@matanya.stroh: Don't forget to erase the asterisks if the user hits backspace.

```
def win_getpass(prompt='Password: ', stream=None, show_asterisks=False):
"""Prompt for password with echo off, using Windows getch()."""
if sys.stdin is not sys.__stdin__:
return fallback_getpass(prompt, stream)

for c in prompt:
msvcrt.putwch(c)
pw = ""
while 1:
c = msvcrt.getwch()
if c == '\r' or c == '\n':
break
if c == '\003':
raise KeyboardInterrupt
if c == '\b':
if len(pw) > 0:
pw = pw[:-1]
msvcrt.putwch('\b')
msvcrt.putwch(' ')
msvcrt.putwch('\b')
else:
pw = pw + c
if show_asterisks:
msvcrt.putwch('*')
msvcrt.putwch('\r')
msvcrt.putwch('\n')
return pw
```

Alternatively, could let the user define the masking character, similar to 
Tkinter's Entry widget.

```
def win_getpass(prompt='Password: ', stream=None, mask=''):
"""Prompt for password with echo off, using Windows getch()."""
if sys.stdin is not sys.__stdin__:
return fallback_getpass(prompt, stream)
if len(mask) > 1:
raise TypeError('mask argument must be a zero- or one-character str')

for c in prompt:
msvcrt.putwch(c)
pw = ""
while 1:
c = msvcrt.getwch()
if c == '\r' or c == '\n':
break
if c == '\003':
raise KeyboardInterrupt
if c == '\b':
if len(pw) > 0:
pw = pw[:-1]
msvcrt.putwch('\b')
msvcrt.putwch(' ')
msvcrt.putwch('\b')
else:
pw = pw + c
if mask:
msvcrt.putwch(mask)
msvcrt.putwch('\r')
msvcrt.putwch('\n')
return pw
```

I'm in favor of supporting masking. While it does reveal the password length, 
it's an accessibility feature many users have come to expect.

I'd rather have this in the standard library than have developers implement 
their own custom, potentially insecure methods for password input.

--
nosy: +stevoisiak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[R. David Murray]

R. David Murray  added the comment:

getpass is emulating the unix password prompt behavior.  I'm not sure if the 
complication is worth it, especially since not echoing asterisks is, as you 
observe, fractionally more secure.  So I guess I'm about -.5 on this feature.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[Matanya Stroh]

Matanya Stroh  added the comment:

for getpass.win_getpass() it can simply be done by adding this line
msvcrt.putch("*").
So the code will look like:

def win_getpass(prompt='Password: ', stream=None):
"""Prompt for password with echo off, using Windows getch()."""
if sys.stdin is not sys.__stdin__:
return fallback_getpass(prompt, stream)

for c in prompt:
msvcrt.putwch(c)
pw = ""
while 1:
c = msvcrt.getwch()
if c == '\r' or c == '\n':
break
if c == '\003':
raise KeyboardInterrupt
if c == '\b':
pw = pw[:-1]
else:
pw = pw + c
msvcrt.putch("*") #Line that was added
msvcrt.putwch('\r')
msvcrt.putwch('\n')
return pw

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32884] Adding the ability for getpass to print asterisks when passowrd is typed

[Matanya Stroh]

New submission from Matanya Stroh :

I saw some questions about it in stackoverflow (links below), and also find it 
very useful to have the ability to print asterisks.
Some users, find it disturbing when they don't have any indication that 
password is typed, and it will be helpful to have it.

I know that it's have some risks exposing the number of chars to the password, 
but I think it's worth it.

When using Jupyter (notebook server is 4.3.1) the password does echoed as "*", 
but not in Python IDE in linux and Windows

1) 
https://stackoverflow.com/questions/10990998/how-to-have-password-echoed-as-asterisks
2) 
https://stackoverflow.com/questions/7838564/how-to-read-password-with-echo-in-python-console-program

--
components: Library (Lib)
messages: 312410
nosy: matanya.stroh
priority: normal
severity: normal
status: open
title: Adding the ability for getpass to print asterisks when passowrd is typed
type: enhancement
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com