| ▲ | zenethian 15 hours ago | |||||||||||||
You got some sources or did you just make that up? Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so. | ||||||||||||||
| ▲ | hrmtst93837 an hour ago | parent | next [-] | |||||||||||||
This is security theater. Masking sudo input does nothing against keyloggers, shoulder-surfing, or anyone reading your terminal, and pretending password length is the deciding leak ignores the much larger attack surface around a compromised box. If password length is where your threat model gets scary you've already lost. | ||||||||||||||
| ▲ | 9dev 15 hours ago | parent | prev | next [-] | |||||||||||||
Yet somehow, none of the other high security tools I have ever interacted with seem to do this for some reason. No auditor flags it. No security standard recommends hiding it. But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother? | ||||||||||||||
| ||||||||||||||
| ▲ | baq 13 hours ago | parent | prev | next [-] | |||||||||||||
> Because to hell with UX when it comes to security. I don’t think you have any idea how wrong you are. | ||||||||||||||
| ▲ | plorkyeran 7 hours ago | parent | prev [-] | |||||||||||||
Bad security UX that results in users bypassing security mechanisms entirely is probably the single biggest source of real-world security problems. | ||||||||||||||