better than read-hide-char

better than read-hide-char

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

How about a feature whereby instead of ******************* or .............
the password echoes as 012345678901234567890123456789...
That way, you could tell how many characters you have successfully typed
even when they are 20, 30, 40, 50, 60 or 70 characters.
That would help people notice some mistakes in long passwords.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: better than read-hide-char

[Andreas Schwab]

On Jul 30 2018, Richard Stallman <rms@gnu.org> wrote:

> How about a feature whereby instead of ******************* or .............
> the password echoes as 012345678901234567890123456789...
> That way, you could tell how many characters you have successfully typed
> even when they are 20, 30, 40, 50, 60 or 70 characters.
> That would help people notice some mistakes in long passwords.

Another feature would be to temporarily unhide the input.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Re: better than read-hide-char

[Simon Leinen]

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

>
> How about a feature whereby instead of ******************* or .............
> the password echoes as 012345678901234567890123456789...

That way, you could tell how many characters you have successfully typed
> even when they are 20, 30, 40, 50, 60 or 70 characters.
> That would help people notice some mistakes in long passwords.
>

I would appreciate such a feature, or anything that tells me in real time
how many characters of password I have typed. Whether you start counting
from 0 or from 1 is a matter of preference. Maybe that should be
customizable.
-- 
Simon.

[-- Attachment #2: Type: text/html, Size: 911 bytes --]

Re: better than read-hide-char

[Stefan Monnier]

> the password echoes as 012345678901234567890123456789...
> That way, you could tell how many characters you have successfully typed
> even when they are 20, 30, 40, 50, 60 or 70 characters.
> That would help people notice some mistakes in long passwords.

Sure.  Another option would be the patch below.
BTW, for those who like to have their password sanity-checked locally
before they press RET, it even displays some kind of short hash ;-)


        Stefan


PS: Adding a command to temporarily reveal the password is also a small
matter of programming.


diff --git a/lisp/subr.el b/lisp/subr.el
index 5b38c4d42e..d93b97a7c4 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -2452,11 +2452,19 @@
               (message "Password not repeated accurately; please start over")
               (sit-for 1))))
         success)
-    (let ((hide-chars-fun
+    (let* (ol
+           (hide-chars-fun
            (lambda (beg end _len)
              (clear-this-command-keys)
              (setq beg (min end (max (minibuffer-prompt-end)
                                      beg)))
+              (move-overlay ol (point-max) (point-max))
+              (let ((len (- (point-max) (minibuffer-prompt-end)))
+                    (hash (md5 (minibuffer-contents-no-properties))))
+                (overlay-put ol 'after-string
+                             (if (> len 1)
+                                 (format "  [%d chars, #%s]"
+                                         len (substring hash 0 4)))))
              (dotimes (i (- end beg))
                (put-text-property (+ i beg) (+ 1 i beg)
                                   'display (string (or read-hide-char ?.))))))
@@ -2471,6 +2479,7 @@ read-passwd
             (use-local-map read-passwd-map)
             (setq-local inhibit-modification-hooks nil) ;bug#15501.
 	    (setq-local show-paren-mode nil)		;bug#16091.
+            (setq ol (make-overlay (point-max) (point-max) nil t t))
             (add-hook 'after-change-functions hide-chars-fun nil 'local))
         (unwind-protect
             (let ((enable-recursive-minibuffers t)

RE: better than read-hide-char

[Drew Adams]

> > How about a feature whereby instead of ******************* or .............
> > the password echoes as 012345678901234567890123456789...
> > That way, you could tell how many characters you have successfully typed
> > even when they are 20, 30, 40, 50, 60 or 70 characters.
> > That would help people notice some mistakes in long passwords.

Sounds good to me. But maybe can see a downside?

> Another feature would be to temporarily unhide the input.

A user deserves feedback for whether a key actually was depressed sufficiently, i.e., whether Emacs received it. That's the reason for showing *** or ....

Re: better than read-hide-char

[Andreas Schwab]

On Jul 31 2018, Drew Adams <drew.adams@oracle.com> wrote:

>> Another feature would be to temporarily unhide the input.
>
> A user deserves feedback for whether a key actually was depressed sufficiently, i.e., whether Emacs received it. That's the reason for showing *** or ....

But that hides the input, so if you want to verify it it needs to be
unhidden.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

RE: better than read-hide-char

[Drew Adams]

> >> Another feature would be to temporarily unhide the input.
> > A user deserves feedback for whether a key actually was depressed
> 
> But that hides the input, so if you want to verify it it needs to be unhidden.

Sorry. I misread what you wrote. I thought you said "hide", not "unhide".
I thought you meant just not provide any feedback. Sorry for the noise.

Re: better than read-hide-char

[Clément Pit-Claudel]

On 2018-07-30 22:25, Richard Stallman wrote:
> How about a feature whereby instead of ******************* or .............
> the password echoes as 012345678901234567890123456789...
> That way, you could tell how many characters you have successfully typed
> even when they are 20, 30, 40, 50, 60 or 70 characters.
> That would help people notice some mistakes in long passwords.

This sounds like a good idea, but I think it'd be even better to put that information in the modeline of the window above the minibuffer, rather than in the minibuffer itself. Something like this, partly copied from eldoc:

(progn
  (defvar passwd-mode-line nil)
  (put 'passwd-mode-line 'risky-local-variable t)

  (minibuffer-with-setup-hook
      (lambda ()
        (add-hook 'minibuffer-exit-hook (lambda () (setq passwd-mode-line nil)) nil t)
        (let ((prefix-len (buffer-size)))
          (with-current-buffer
              (window-buffer
               (or (window-in-direction 'above (minibuffer-window))
	           (minibuffer-selected-window)
	           (get-largest-window)))
            (when mode-line-format
              (unless (and (listp mode-line-format)
		           (assq 'passwd-mode-line mode-line-format))
	        (setq mode-line-format
	              `("" (passwd-mode-line passwd-mode-line) ,mode-line-format))))
            (setq passwd-mode-line
                  (concat (make-string (1+ prefix-len) ?\s)
                          "0123456789012345678901234567890"))
            (force-mode-line-update))))
    (read-passwd "Test: ")))

Clément.

Re: better than read-hide-char

[Stefan Monnier]

> This sounds like a good idea, but I think it'd be even better to put
> that information in the modeline of the window above the minibuffer,
> rather than in the minibuffer itself.

My minibuffer lives in its own frame, with no obvious "window above".

[ At startup, there is no modeline at all.  Admittedly, by the time
  read-passwd gets called, there will probably be some frame displaying
  a window with modeline somewhere, but the point is that there's no
  clear modeline attached to the minibuffer, in general.  ]


        Stefan

Re: better than read-hide-char

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

I correct my previous suggestion.  To make the echoed numbers
match the last digit of the length thus far, they should start with 1.

I like your idea too.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: better than read-hide-char

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Another feature would be to temporarily unhide the input.

This would be useful, if it happens only when you type a command
to make it happen.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: better than read-hide-char

[Clément Pit-Claudel]

On 2018-07-31 16:17, Stefan Monnier wrote:
>> This sounds like a good idea, but I think it'd be even better to put
>> that information in the modeline of the window above the minibuffer,
>> rather than in the minibuffer itself.
> 
> My minibuffer lives in its own frame, with no obvious "window above".
> 
> [ At startup, there is no modeline at all.  Admittedly, by the time
>   read-passwd gets called, there will probably be some frame displaying
>   a window with modeline somewhere, but the point is that there's no
>   clear modeline attached to the minibuffer, in general.  ]

Sure, but we don't necessarily need it to work in all cases.
How does eldoc do in your case?

Clément.

Re: better than read-hide-char

[Stefan Monnier]

> How does eldoc do in your case?

Poorly, but bearable.


        Stefan

Re: better than read-hide-char

[Davis Herring]

> Sure.  Another option would be the patch below.
> BTW, for those who like to have their password sanity-checked locally
> before they press RET, it even displays some kind of short hash ;-)

Doesn't displaying even 16 bits of any hash of each prefix of the 
password leak those prefixes, each guided by the last?

Here is a lookup table based on the first 12 bits of the MD5 hash of 
each ASCII printing character:

01a #
021 X
03c s
0bc %
0cc a
0d6 C
0fb ]
167 6
21c Z
251 h
26b +
28d \
2db l
336 -
338 *
359 '
363 j
3a3 E
415 y
43e =
44c P
45c 9
4a8 c
4b4 r
4c6 U
4c7 ~
505 .
518 @
520 V
524 <
57c Y
5db S
61e W
666 /
696 M
6cf &
6f8 m
721
769 q
7b7 u
7b8 n
7e6 ^
7fc A
800 F
815 [
827 d
833 `
838 p
84c (
853 :
865 i
8ce k
8d9 N
8f1 7
8fa f
903 !
92e b
937 )
9d5 B
9dd x
9e3 v
9ee ;
a5f K
a87 4
b14 _
b15 "
b2f g
b99 |
b9e T
c0c ,
c1d H
c3e $
c4c 1
c81 2
c9f 8
cbb }
ced >
cfc 0
d14 ?
d20 L
d95 o
dd7 I
dfc G
e16 e
e1e R
e35 t
e4d 5
ecc 3
f09 Q
f12 w
f18 O
f62 D
f95 {
fba z
ff4 J

And, supposing the first hash is c3e... (i.e., the first character is 
$), here's the next table:

033 $2
06d $1
099 $3
0b3 $J
0bf $(
0d5 $e
0f5 $O
115 $@
134 $T
141 $[
172 $4
19c $'
1d0 $%
1dc $|
20c $S
20f $d
213 $=
24d $l
2a0 $p
2a1 $Q
2fb $, or $H
30b $t
359 $.
36a $y
36b $/
39a $Y
3cb $s
3e3 $c
3e4 $D
459 $+
474 $X
481 $-
4f3 $7
52d $a
588 $$
601 $h
620 ${
6b5 $P
6b6 $f
6bf $Z
6c0 $`
71e $C
798 $F
7a4 $I
7d4 $R
7dc $~
867 $K
86c $8
870 $5
872 $x
884 $!
89f $M
926 $>
934 $L
953 $z
993 $:
a09 $k
a0f $&
a16 $i
a3d $v
a7b $j
aa7 $r
ae9 $o
b05 $]
b3e $6
b89 $A or $?
bea $"
c4a $u
c6a $*
c6e $
d0a $0
d38 $U
d3f $w
d72 $9
da3 $b
dd9 $W
de8 $B
e19 $#
e25 $N
e31 $^
e33 $G
e4a $n
e4d $E
e6e $\
e77 $V
eb6 $q
edc $_
f08 $;
f46 $g
f52 $m
f78 $<
fa1 $}
fc0 $)

The two collisions are resolved by the remaining 4 bits displayed by 
that patch.

Davis

-- 
This product is sold by volume, not by mass.  If it appears too dense or 
too sparse, it is because mass-energy conversion has occurred during 
shipping.

Re: better than read-hide-char

[Stefan Monnier]

> Doesn't displaying even 16 bits of any hash of each prefix of the password
> leak those prefixes, each guided by the last?

No doubt.  IOW it's probably a bad idea.


        Stefan

Re: better than read-hide-char

[Juri Linkov]

> PS: Adding a command to temporarily reveal the password is also a small
> matter of programming.
>
> diff --git a/lisp/subr.el b/lisp/subr.el
> index 5b38c4d42e..d93b97a7c4 100644
> --- a/lisp/subr.el
> +++ b/lisp/subr.el
> @@ -2452,11 +2452,19 @@
>                (message "Password not repeated accurately; please start over")
>                (sit-for 1))))
>          success)
> -    (let ((hide-chars-fun
> +    (let* (ol
> +           (hide-chars-fun

Maybe hide-chars-fun should be customizable?  This would allow adding
an option to temporarily reveal the password instead of patching the
implementation like:

diff --git a/lisp/subr.el b/lisp/subr.el
index 5b0330745f..14bd601e71 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -2320,6 +2320,11 @@ read-passwd-map
     map)
   "Keymap used while reading passwords.")
 
+(defcustom read-passwd-hide-delay 0.3
+  "Time delay before hiding typed password chars."
+  :type 'number
+  :group 'display)
+
 (defun read-passwd (prompt &optional confirm default)
   "Read a password, prompting with PROMPT, and return it.
 If optional CONFIRM is non-nil, read the password twice to make sure.
@@ -2346,12 +2351,20 @@ read-passwd
         success)
     (let ((hide-chars-fun
            (lambda (beg end _len)
-             (clear-this-command-keys)
-             (setq beg (min end (max (minibuffer-prompt-end)
-                                     beg)))
-             (dotimes (i (- end beg))
-               (put-text-property (+ i beg) (+ 1 i beg)
-                                  'display (string (or read-hide-char ?*))))))
+             (let ((minibuf (current-buffer)))
+               (run-with-timer
+                read-passwd-hide-delay
+                nil
+                (lambda ()
+                  (clear-this-command-keys)
+                  (when (buffer-live-p minibuf)
+                    (with-current-buffer minibuf
+                      (setq beg (min end (max (minibuffer-prompt-end) beg)))
+                      (setq end (min end (point-max)))
+                      (dotimes (i (- end beg))
+                        (put-text-property (+ i beg) (+ 1 i beg)
+                                           'display (string (or read-hide-char ?*))
+                                           minibuf)))))))))
           minibuf)
       (minibuffer-with-setup-hook
           (lambda ()


OTOH, another useful option would be the opposite: to increase security
when necessary and obscure the number of typed characters:

diff --git a/lisp/subr.el b/lisp/subr.el
index 5c8b84b8e9..194f019ba7 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -2357,7 +2357,8 @@ read-passwd
                                      beg)))
              (dotimes (i (- end beg))
                (put-text-property (+ i beg) (+ 1 i beg)
-                                  'display (string (or read-hide-char ?*))))))
+                                  'display (make-string (1+ (random 3))
+                                                        (or read-hide-char ?*))))))
           minibuf)
       (minibuffer-with-setup-hook
           (lambda ()