<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #2987: Terminal bell when you hit backspace in an empty



#2987: Terminal bell when you hit backspace in an empty password field

Comment (by Vincent Lefevre):

 {{{
 On 2007-11-11 10:33:17 -0000, Mutt wrote:
 > #2987: Terminal bell when you hit backspace in an empty password field
 >
 >  When you hit backspace in an empty password field (tested when logging
 in
 >  to an imap folder), it sounds the terminal bell. This is a handy
 feature
 >  for knowing when you've completely erased the wrong password, but it's
 >  also a security issue, albeit very minor. An attacker could
 theoretically
 >  learn the number of characters in a password by remembering how many
 times
 >  a person hits backspace before the terminal bell sounds, however
 unlikely
 >  this may be. Other programs, like ssh and mysql (with the -p flag)
 don't
 >  have this functionality.

 In the same way, the attacker could already know the number of
 characters before you hit the backspace key. Moreover the correct and
 incorrect passwords can also have a different number of characters.
 So, I doubt the terminal bell is a security issue here. BTW, the user
 can also press the backspace key and wait for the terminal bell (thanks
 to the autorepeat feature). And since the terminal bell can be useful
 (i.e. the user knows he has erased all the password -- FYI, I use the
 visual bell), this feature shouldn't be removed.
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2987#comment:>