Login vs. typeahead
Ken Lerman
lerman at stpstn.UUCP
Fri Nov 16 01:11:45 AEST 1990
In article <1990Nov13.233329.8736 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
->In article <1990Nov13.182623.18967 at smsc.sony.com>, dce at smsc.sony.com (David Elliott) writes:
->|> ... if a user tries to do this, some or all of
->|> the password they type is displayed on the screen, and then this data
->|> is ignored by getpass(), which flushes the input before it reads.
->|>
->|> What I would like to know is if there is a good reason for the current
->|> behavior, and if changing this behavior might in some way compromise
->|> the security of the system.
->
-> The flushing of typeahead is meant to prevent people from doing exactly what
->you describe. Allowing the first characters of your password to be displayed
->on the screen as you type them is a Bad Idea (tm) and a clear security
->problem. If the login program doesn't accept input typed before echoing is
->turned off, then people have an incentive not to type any input before echoing
->is turned off.
->
->--
->Jonathan Kamens USnail:
->MIT Project Athena 11 Ashford Terrace
->jik at Athena.MIT.EDU Allston, MA 02134
->Office: 617-253-8085 Home: 617-782-0710
Is there any reason why one couldn't build a login program which
always has echo turned off (and did a manual echo)? I understand that
the echoing would be slower, but the problem of echoed passwords would
be solved. Would that be acceptable?
Ken
More information about the Comp.unix.misc
mailing list