I am curious to know why the password characters(special characters) are not echoed when we login to the system via a terminal.
But we can see the password characters(special characters) while we login to the system via GUI.
The only reason i can think of is that the total number of characters in my password wouldn't be revealed to someone who's spying over my system/password.
Any suggestions/ides?
One possible explanation is that command line logins have been around for much longer than GUIs. I think the dots that replace characters are a relatively new idea that have been implemented in GUIs. On the command line, however, nothing was originally shown and it has stayed this way over the years.
It is far more common that a user or administrator enables logging of text on a command-line, than logging of video in a GUI. Furthermore, it is very common that someone will copy text from the command line and make it available to untrusted persons. For these reasons, it would be especially bad for information about a user's password--specifically, its length--to be shown on the command line.
For example, on Ask Ubuntu we often ask people to enter commands--including commands beginning with
sudo
that ask for a password--and then to copy the entire contents of a terminal and add it to their questions. If the terminal showed a*
for each character entered as part of a password, we would have to ask them to manually remove those lines. They might accidentally remove more, or not enough, or we might forget to ask, or they might not realize that some text they made available contained a password line.In contrast, it's very rare for us to ask someone to make a video screen capture so we can help them with their problem, and especially rare that we would ask them to do so for any task that includes a graphical password prompt. If that were common (or if we wanted it to become common), we would have to stop showing placeholder characters for graphically entered passwords, too.
As a secondary factor, it's more important that placeholder characters be shown when entering a password graphically:
Users of consoles generally expect that they are capable of receiving text input; it is the primary and usually only kind of input they take directly from a user. In contrast, many GUI's don't accept keyboard input, or don't accept it in as predictable a way.
It's common for a GUI program to refuse to echo keyboard input when the input cannot be acccepted--for example, when a user enters a letter in a text box that is intended to receive only numbers. It's easy for users to learn it's okay that nothing shows up when they enter their password in a console. It would likely be harder for people to feel comfortable seeing nothing while manipulating a graphical interface.
A graphical interface is more likely than a console to have multiple separate text elements. Echoing keyboard input is important because it clarifies which interface element within a program is receiving keyboard input. In this regard, showing stars in a password textbox may even be a security feature, in that it helps the user know they're not accidentally entering the password elsewhere.
(That's also a potentially issue in a console if the console is embedded in a GUI, but less so, since the user is less likely to be mistaken about whether or not they are typing in a console window than in a new window that has just been shown to take authentication information.)
If you want asterisks to be shown as you enter your password for
sudo
, you can addpwfeedback
to the,
-separated list of options on theDefaults
line in thesudoers
file.Back in the old days IBM keyboards had great tactile feedback and loud clackety clack clack sound. You always knew when you pressed a key.
With modern keyboards, especially membrane ones you have to sometimes look at the screen to confirm a keystroke was received.
This is even more true with touchscreen qwerty keyboards using thumbs and no vibration feedback.
So the password placeholders are a lot more important now than the late 70's when I think Unix gained traction. Even in 1991 when Linux was born I was paying $300 for the IBM 104 Key keyboard with awesome feedback. But shortly after that the cheapo disposable keyboards flooded the market.
The simple answer is that back when we had to go to a "node" to access a "terminal" in a roomfull of them, you had to consider that someone next to you might be watching. Kinda like copying your homework.
Back then, the University would "charge" for your time on the system (there was no real money involved unless you were a grad student with a grant, but it limited the time students had to use before having to go mother-may-I to get more).
Thus came about the idea of hacking other peoples' passwords simply to get more computer time.
This is similar to what Bill Gates and Paul Allen were doing when they wrote the first BASIC for the Altair. They snuck in at night and used system consoles (no password needed) so they could get computer time to do the development of an emulator then write their interpreter then punch it on paper tape. They were using ASR-33 teletypes that ran at 110 baud.
Back to the node situation and the CRT character-based terminals didn't echo anything, or maybe they echoed *, the rationale is that it is much harder to watch your fingers on the keyboard than to read it on the screen.
The original reason that most login passwords show up as asterisks or dots as you type was so you know your keyboard is working. When you walked up to a terminal you never knew until you saw it respond. Often the room would be full of users and the one terminal that nobody was sitting at was down for some reason or other. Maybe it would work long enough to take your login name and prompt you for a password then "CP DISCONNECT" on its own (Honeywell 66/40).
I remember using LA-120 DECwriter printing terminals on a Honeywell mainframe at UACN where after you typed your password (which would print on the paper) the carriage would go back and overwrite it a few times with asterisks and hash marks so the dumpster divers couldn't get it.
The idea of having no echo at all came about so nobody can get the length of your password, which might help them guess it. They'd start with your girlfriend's name, or your pet, etc. Having the length would help if that was their approach.
sudo
is used a lot more often than personal logins, and by then you know your keyboard it working, so it made sense to the developers to have no echo at all. If you get it wrong it just tells you and you try again.Plus,
sudo
requires the root password, which is much more precious to a hacker than your personal login password length.I know you wrote this question 5 years ago (it is Aug 2017 as I type), but I am describing the late 70s and early 80s. Do the math. Many moons ago.
Lots of things like this have a rich history that people never think to write about or even ask about. Most of the time people don't really think about why they are doing what they're doing. They just do things they have been taught, by rote.
Thanks for asking the question the way you did. It is rare to get to do this kind of an answer.
When I began cranking out children I discovered their favorite word was "Why?" - but people don't really use that word very much these days. So it is fun to get a chance to take a breather and remember the good old days.
It is fun to remember all the things we could get those old machines to do. Myself, I used that same behemoth to do dynamic simulations of the solar wind being affected by the earth's magnetic field and predicting where the magnetopause was where it was more affected by the interplanetary magnetic field about 80 earth radii on the back side, for instance. The results came out as large plots on paper done by a CalComp Plotter. The program took about 3 hours to run for each plot.
Also simulated forest fires and how the trees would need x number of hours to dry out and burn. Some trees were 1-hour fuels, some 10-hour, and 100-hour, etc, depending on their diameter.
Everything was in FORTRAN.
I can't help but wonder how fast it would run on these computers we have now.
Enjoy.