Re: [Mutt] #2987: Terminal bell when you hit backspace in an empty
On 2007-11-11 10:33:17 -0000, Mutt wrote:
> #2987: Terminal bell when you hit backspace in an empty password field
>
> When you hit backspace in an empty password field (tested when logging in
> to an imap folder), it sounds the terminal bell. This is a handy feature
> for knowing when you've completely erased the wrong password, but it's
> also a security issue, albeit very minor. An attacker could theoretically
> learn the number of characters in a password by remembering how many times
> a person hits backspace before the terminal bell sounds, however unlikely
> this may be. Other programs, like ssh and mysql (with the -p flag) don't
> have this functionality.
In the same way, the attacker could already know the number of
characters before you hit the backspace key. Moreover the correct and
incorrect passwords can also have a different number of characters.
So, I doubt the terminal bell is a security issue here. BTW, the user
can also press the backspace key and wait for the terminal bell (thanks
to the autorepeat feature). And since the terminal bell can be useful
(i.e. the user knows he has erased all the password -- FYI, I use the
visual bell), this feature shouldn't be removed.
--
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)