Someone live streaming is well attuned to the dangers of exposing personal information on screen, and will hesitate before ever typing a password while streaming. They'll either disable this feature or open a root shell before beginning their stream.

Besides, I can just amplify their stream to hear their keypresses.

This is really a non-issue, all password fields behave this way, so it's not like this is a new computer behavior. This change only aligns sudo to literally everything else.

> Someone live streaming is well attuned to the dangers of exposing personal information

You actually believe that every person in the world who shares their screen is aware of computer security best practices? Or are we only limiting this generalization to every one of the millions of YouTube/Twitch livestreamers?

> I can just amplify their stream to hear their keypresses.

Maybe if they have Cherry MX Blues? A normal keyboard would not get picked up by modern apps' recording noise suppression (the filters are designed to eliminate the sound rather than merely lower volume).

What I do believe is that every person in the world who arrives at a sudo prompt had previously entered a password into a field that echoed asterisks, and as such is prepared to appropriately conceal their password.

Why no need to make it the default? I’m all for rethinking legacy decisions.

It helps 99% of the user base and the security risk seems negligible.

Rethinking would imply there was thinking going on. This decision was made on vibes alone.

If anything, the people clinging to this snake oil security theater are the ones running on vibes alone.

I feel like livestreaming is a good example of an unusual situation where one might consider changing defaults that are otherwise good for the majority of users.

Also, I think the vulnerability of knowing that someone's password is exactly 19 characters long is low enough to be worth the tradeoff. Especially since someone on a livestream can also figure that out by listening for the keypresses.

An accessibility feature helps more people if is it is on by default.

If your sudo password can be exposed by its length then you need a longer password. Hiding the length is just security theatre.

In your specific example livestreams usually have audio so the length is already public.

Yes, this mattered when 6 character passwords were common.

There was already an option for a very long time, and in fact Mint had already changed the default since a long time ago (see e.g. https://forums.linuxmint.com/viewtopic.php?p=1572457).

Changing the default is the point, because people often just don't look into whether it's possible to configure things. They might not even get the idea that the asterisk feedback could be possible, or useful, until it's shown to them.

This is a very specific fear for a very niche sector of the userbase. sudo is the only case of a silent password I've encountered in my life and it's really uncomfortable.

How is exposing length of a password a vulnerability? My HN password is 16 characters long. Go and crack it.

Set it to 1-5 characters long, and let us know which you chose.

Why?

If I pick a random 1-5 character password out of the pool of possibilities, it's very very likely to be 5 characters, and letting you know it's not 1-4 characters does pretty much nothing to help you crack it.

If I'm acting reasonably, I don't randomize the length, I pick a length long enough for the amount of security I want, and in that situation telling you the exact length reduces that security by much less than one bit.

You're missing the point. If knowing the length of a password is helpful in cracking it, then it's already too short to be effective.

The question was:

> How is exposing length of a password a vulnerability?

You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.

Any password of a length that could feasibly be cracked by way of brute force (So up to perhaps 8?) would only save 1/N of the total time taken to crack it with N being the length if one were to know the exact length.

So yes, sure, technically there is an effect, but it's such a small effect, and only for people that should change their damn passwords already, that it's worth making the change for the improved UX.

They’d still need to have access to the device, so it shouldn’t be a problem unless other passwords are the same as your device password.

Also what demos are you doing that require sudo access to your local machine? That’s already pretty niche.

The same hackers could just listen to the key press sounds.