42

Below is the process I took to create a user on bash in Linux.

$ sudo useradd Alexandra
$ sudo passwd Alexandra
Enter new UNIX password: 
Enter new UNIX password: 
passwd: password updated successfully

I understand that the password shouldn't be displayed for security purposes, but what I mean is, why do asterisks (or the characters I entered) not appear?

wjandrea
  • 658
  • 7
  • 19
Kaiylar
  • 617
  • 1
  • 7
  • 9
  • 4
    whenever you have a question about Linux the answer is *security.* – Katz Mar 06 '16 at 21:15
  • 1
    Related, on [ubuntu.se]: [Nothing shows up in the terminal when I type my password](http://askubuntu.com/a/346424/158442) – muru Mar 07 '16 at 15:36
  • IBM Notes does this weird thing where they display random asterisks for each character you type for a password. Very confusing. –  Mar 07 '16 at 16:06
  • 1
    Cross-site dupe: http://ux.stackexchange.com/q/39774/11086 – wim Mar 07 '16 at 17:06
  • 1
    also related: http://security.stackexchange.com/q/35133/3945 – wim Mar 07 '16 at 17:10

3 Answers3

89

What's the simplest way of hiding user input?

Not displaying it!

Hiding passwords when they're being typed is an old tradition. In makes sense from a security perspective in most contexts: if someone is looking over your shoulders, you don't want to make it easy to see what you're typing. (Some modern security guidelines e.g. 1 2 3 4 5 do recommend having an option to make the password visible though, because that allows the user to be able to choose more complex passwords and have confidence that they won't be spending their time fixing unseen typos. The biggest risk isn't shoulder surfing, it's brute force guessing, possibly offline.)

Having decided that the password should be hidden, the implementers had to decide how to do it. The terminal has a mode where user input is shown (echo on), and a mode where user input is not shown (echo off). The echo off mode has intrinsic existence in a way: that's the mode where the terminal doesn't do the extra work of echoing user input. This mode also has to exist for applications where typing a key doesn't insert that character, but instead invokes some application shortcut that is bound to that key. So commands like passwd just set the terminal to echo off mode while they're reading a password.

Printing asterisks for each character would require extra implementation work for only a relatively small benefit, which the implementers of the passwd command haven't felt like doing. There's no terminal mode for printing asterisks because it would be a very specialized feature, useful only when entering passwords.

By the way, if you want to see your password when changing it, you can use cat | passwd (at least on some systems — some versions of passwd require an option like cat | passwd --stdin and some don't accept this at all). (You can even do { echo 'current password'; echo 'new password'; echo 'new password'; } | passwd, but don't do that: it would save the passwords in the shell history, from which there's a lot more risk of leaking.) Arranging for that with commands that read the password from the terminal rather than whatever is their standard input, such as sudo or ssh, is more complex; if you have a GUI available, you can use ssh-askpass which does show how many characters you've typed (SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -A for sudo; for ssh it's complicated when you invoke it from a terminal).

Community
  • 1
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • 1
    This is by far the best answer imo and it's actually very helpful. Thanks for clarifying my belief and expanding ^,^ deserves vote up! – DankyNanky Mar 06 '16 at 21:43
  • 4
    The terminal handler takes care of simple editing features (like backspace) and buffering the line. A line read using fgets() doesn't return until enter is pressed. so that makes printing asterisks tricky. If you were to read it one character at a time and echo asterisks you'd lose backspace functionality, or need extra effort to support it. – Jasen Mar 07 '16 at 08:16
  • 1
    When going into the history angle on this issue, I wonder how this relates to the time when tty actually referred to teletypewriter... – Jasper Mar 07 '16 at 09:43
  • 1
    There are ways to execute a command without it being stored in the command history. See for example [Execute command without keeping it in history](http://stackoverflow.com/q/8473121/486504). – user Mar 07 '16 at 12:33
  • I don't think `passwd` is always willing to [read from stdin directly](http://serverfault.com/questions/336298/can-i-change-a-user-password-in-linux-from-the-command-line-with-no-interactivit#comment331351_336306). – muru Mar 08 '16 at 01:50
  • @Gilles "Modern security guidelines do recommend having an option to make the password visible though, because that allows the user to be able to choose more complex passwords" Where should I look for such guidelines? – tsuma534 Mar 08 '16 at 10:57
  • 1
    @tsuma534 I added a few links to my answer. – Gilles 'SO- stop being evil' Mar 08 '16 at 12:02
  • @muru Works on Debian jessie, not on Ubuntu 14.04. Weird, they're only slightly different versions of the Linux shadow-utils package. – Gilles 'SO- stop being evil' Mar 08 '16 at 12:04
  • 2
    Addendum: Terminals that "do extra work" to echo user input are so-called "full duplex" terminals. In Ye Olde Days there were also "half duplex" terminals, where the character was displayed right away by the terminal upon being typed, and the OS did not send it back to the terminal for display. If I remember correctly, these terminals had no way to turn off echo. – alexis Mar 08 '16 at 14:49
44

Because that's the way we do things in *nix land. :) It gives a little bit of extra security by not displaying a bunch of asterisks. That way, someone who sees your screen can't see the length of your password.

But I must admit it is a little bit scary not getting any feedback when you're entering a password, especially if you've got a bad keyboard. So most GUI password dialog on *nix systems do give you some kind of feedback, e.g. using asterisks, or more commonly ⬤. And some even display each character as you type it, but then immediately replace it with a * or ⬤, but that's not so good if someone may be looking over your shoulder. Or if they have a device that can pick up & decode the video signal being sent from your computer to your monitor.

Kaiylar
  • 617
  • 1
  • 7
  • 9
PM 2Ring
  • 6,553
  • 2
  • 27
  • 32
  • 6
    ... with the help of`stty -echo` – Jeff Schaller Mar 06 '16 at 17:42
  • 10
    This answer is not bad, but IMHO Gilles gave the real answer. Almost certainly, the implementors weren't really thinking of "a little bit of extra security" and definitely weren't thinking of the user experience. They did it the way they did it because it was cheap and easy to do it that way. Then, later, we came to expect it to continue to work that way... – Celada Mar 06 '16 at 20:01
  • 2
    @Celada: Fair point. FWIW, I've already up-voted Gilles' excellent answer. – PM 2Ring Mar 06 '16 at 20:04
  • 3
    @Celada The added security may not have led to the original decision to display nothing, but I've always considered it a benefit, and can see how others thinking that way may have provided a good reason to keep it that way. – Monty Harder Mar 07 '16 at 15:43
  • I still prefer *nix's hidden password to Lotus Note's random number of ⬤ at each letter typed. – Aaron Mar 08 '16 at 07:57
  • 2
    I think the breif display of the last character typed is mostly a mobile approach, probably because typing on a tiny, on-screen keyboard is more error-prone. I don't think I've ever seen it in desktop applications. – Barmar Mar 09 '16 at 18:07
  • @Barmar: That makes sense. FWIW, I tried to implement that last year in Python using the Tkinter GUI, in response to a SO question, but decided to go for a slightly easier to implement solution that briefly displays all characters currently entered before replacing them with `*`. See http://stackoverflow.com/a/31637169/4014959 – PM 2Ring Mar 09 '16 at 18:25
2

Making the password invisible makes it more secure, as the length of the password cannot be seen by others. This avoids the risk of others trying to guess the password from its length and log in into your account.

psmears
  • 461
  • 3
  • 8
Coder AP
  • 35
  • 1
  • 1
    Keyboards tend to make some amount of noise as they are used, which can be heard or recorded for later analysis to determine password length. Some keyboard models are quieter than [others](https://en.wikipedia.org/wiki/Model_M_keyboard). Also, some keys tend to make relatively distinct noises (think space bar, Enter, etc.). In this context, also consider [How critical is it to keep your password length secret?](http://security.stackexchange.com/q/92233/2138) on [security.se]. – user Mar 07 '16 at 12:37
  • 1
    @ Michael Kjörling : What you said is an advanced level security and a valid point to be considered (especially for the one's whose hearing power is really good, who can get the password length through the noise of keyboards). But it is a hardware issue, which needs to be considered at hardware level and as such, now we have facility of touch screen keyboards, which do not create noise. – Coder AP Mar 07 '16 at 14:35