http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=8463017f7de43fe0a8ec144faca6bbf43168ebf9 introduced a change which does give away the password length -- even if not as blatantly as usual. Still, it's a step backwards. Please, get rid of it or make it configurable at least. The related Debian bug is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575486. Thanks.
Really, someone close enough to count the number of pixels can count the number of times they heard your fingers press a key down - I can't get excited about this as a huge information leak. That said, I've been thinking about getting rid of this code anyway now that we have password asterisks for feedback, so it may go away or become configurable at some point.
I mostly agree, but still wanted to relay the request. Your plan sounds perfectly good, thanks!
Will be fixed by this pair of patches submitted to xorg-devel for review: http://patchwork.freedesktop.org/patch/4181/ http://patchwork.freedesktop.org/patch/4182/ Those who want a moving cursor after these patches can simply set: xlogin*echoPasswd: true xlogin*echoPasswdChar: in their Xresources to have a space for the echoed character.
Revised fix pushed to git master: http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=3297eb892017c850f25d3dc4a37095612a20a381 Now default is no response, previous behavior can be restored by: xlogin*echoPasswd: true xlogin*echoPasswdChar: (i.e. a blank echo character)
Thanks for this feature!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.