Weird argument about the logging password forging the same in a gui. Because it certainly it not when logging in using a terminal locale or ssh for that matter

▲

tsimionescu 14 hours ago | parent [-]

Either way, password lengths are exposed in virtually all scenarios except the Unix Terminal - and have caused 0 issues in practice. The default of hiding password inputs really is useless security theater, and always has been.

The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.

▲

hnlmorg 12 hours ago | parent [-]

> and have caused 0 issues in practice

Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.

Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.

So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.

Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.

But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.

This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.

	▲	SAI_Peregrinus 5 hours ago \| parent [-]
		Knowing password length makes it easier to crack an insecure password. The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait.