> and have caused 0 issues in practice

Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.

Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.

So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.

Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.

But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.

This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.

Knowing password length makes it easier to crack an insecure password.

The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait.

Knowing that user passwords have to be manually keyed, I don’t think the average person will have a 37 character password set ;)

Typically they’re between 8 and 12 characters. Usually contain dictionary terms, with the first character capitalised and a numeric value at the end with an exclamation mark.

If you know a little bit of information about the individual (which you likely will if you’re in a position to shoulder surf) then you can easily guess at personal details that individual might use (kids names, favourite movie, sports team, that kind of stuff) which also helps narrow the search field too.

Now I’m not saying that this will apply for everyone. But you can see how knowing the password length combined with another piece of information suddenly increases the statistical probability of cracking some passwords.

And this comes back to my earlier point about how security isn’t about absolutes. It’s about probabilities and risk. So there isn’t going to be a universal truth about whether this decision is correct for everyone or not.

You keep talking as if visible passwords is some scary never tried before thing. In reality, it's the almost universal norm, with Unixy terminal being the only place that does anything else. When you log into your UI (on Linux, Mac, and Windows), when you access your bank website, when you go to an ATM, when you log into your email account, and so many other places - all use a normal password input that echoes some character for every input.

You also keep ignoring the fact that anyone who has access to see the length of your input in a shell has access to MUCH more useful information by watching/listening to you type.

Bottom line is that there is no realistic security loss from this, except for the most extreme contrived scenarios. While sure, this is not the best choice for 100% of users, it's still the best choice for 99.99999% of them, so it really doesn't bear discussion.

> You keep talking as if visible passwords is some scary never tried before thing.

No. That’s you adding tone that wasn’t there.

> In reality, it's the almost universal norm, with Unixy terminal being the only place that does anything else. When you log into your UI (on Linux, Mac, and Windows), when you access your bank website, when you go to an ATM, when you log into your email account, and so many other places - all use a normal password input that echoes some character for every input.

Which is exactly why I talked about the audience of the security policies and not the technology ;)

It’s the risk appetite of the users that matter more here than the technology.

> You also keep ignoring the fact that anyone who has access to see the length of your input in a shell has access to MUCH more useful information by watching/listening to you type.

I didn’t ignore that. I just didn’t address it because there are a plethora of problems with key strokes and didn’t want to get drawn into a debate about that specifically. But since you asked:

1. They’re not always audible. Not everyone owns a mechanical keyboard ;)

2. backspace, ctrl+d and so on will be keystrokes that delete some or all of the password characters.

3. tab and enter are also keystrokes but also aren’t password characters

4. People are generally worse at counting sounds than counting sequences of visual clues

5. You might be watching someone on video rather than shoulder surfing so key sounds are unavailable

6. Other people might by typing in the vicinity and picking out one typist from another is exceptionally difficult vs reading dots on a screen

7. just because one thing exists it doesn’t automatically mean everything else has no value too

I could go on. But key sounds aren’t as big a giveaway as some on here would like to claim. And they’re definitely not on a par with dots on a screen.

However, if your security model is that even the key sounds are a risk then you / your organisation should be looking a passwordless systems like certificate-based logins.

So again, notice here that I’m not talking in absolute terms but instead discussing risks and their countermeasures.

> Bottom line is that there is no realistic security loss from this, except for the most extreme contrived scenarios. While sure, this is not the best choice for 100% of users, it's still the best choice for 99.99999% of them, so it really doesn't bear discussion.

Except you are discussing it and ended up making the same point I was but expressing it like a counter argument. It would have been a whole lot easier if you’d just said “I agree” but c'est la vie.