Re: [Mutt] #2987: Terminal bell when you hit backspace in an empty
#2987: Terminal bell when you hit backspace in an empty password field
Comment (by Vincent Lefevre):
{{{
On 2007-11-11 10:33:17 -0000, Mutt wrote:
> #2987: Terminal bell when you hit backspace in an empty password field
>
> When you hit backspace in an empty password field (tested when logging
in
> to an imap folder), it sounds the terminal bell. This is a handy
feature
> for knowing when you've completely erased the wrong password, but it's
> also a security issue, albeit very minor. An attacker could
theoretically
> learn the number of characters in a password by remembering how many
times
> a person hits backspace before the terminal bell sounds, however
unlikely
> this may be. Other programs, like ssh and mysql (with the -p flag)
don't
> have this functionality.
In the same way, the attacker could already know the number of
characters before you hit the backspace key. Moreover the correct and
incorrect passwords can also have a different number of characters.
So, I doubt the terminal bell is a security issue here. BTW, the user
can also press the backspace key and wait for the terminal bell (thanks
to the autorepeat feature). And since the terminal bell can be useful
(i.e. the user knows he has erased all the password -- FYI, I use the
visual bell), this feature shouldn't be removed.
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2987#comment:>