http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=8463017f7de43fe0a8ec144faca6bbf43168ebf9 introduced a change which does give away the password length -- even if not as blatantly as usual. Still, it's a step backwards. Please, get rid of it or make it configurable at least. The related Debian bug is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575486. Thanks.
Really, someone close enough to count the number of pixels can count the
number of times they heard your fingers press a key down - I can't get
excited about this as a huge information leak. That said, I've been
thinking about getting rid of this code anyway now that we have password
asterisks for feedback, so it may go away or become configurable at some
I mostly agree, but still wanted to relay the request. Your plan sounds perfectly good, thanks!
Will be fixed by this pair of patches submitted to xorg-devel for review:
Those who want a moving cursor after these patches can simply set:
in their Xresources to have a space for the echoed character.
Revised fix pushed to git master:
Now default is no response, previous behavior can be restored by:
(i.e. a blank echo character)
Thanks for this feature!