I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?

What's the benefit of having a random character from a random set, instead of just a random character?

oneeyedpigeon 14 hours ago | parent | next [-]

I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)

	▲	jadamson 14 hours ago \| parent [-]
		Ah, and the characters are supposed to be an ASCII spinner. I think if I was new to Linux that would confuse the life out of me :)

▲

NiloCK 14 hours ago | parent | prev | next [-]

There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.

▲

ordu 13 hours ago | parent [-]

If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.

	▲	NiloCK 7 hours ago \| parent [-]
		The original suggestion included randomizing the first character of the set, which removes this attack.

▲

DrawTR 14 hours ago | parent | prev [-]

They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.