Adding the ability for getpass to print asterisks when password is typed

[MatanyaStroh]

BPO	32884
Nosy	@stevendaprano, @bitdancer, @jab, @MatanyaStroh, @Stevoisiak, @remilapeyre, @websurfer5, @akulakov

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2018-02-20.10:28:53.338>
labels = ['type-feature', 'library', '3.9']
title = 'Adding the ability for getpass to print asterisks when password is typed'
updated_at = <Date 2021-08-10.01:27:06.609>
user = 'https://github.com/MatanyaStroh'

bugs.python.org fields:

activity = <Date 2021-08-10.01:27:06.609>
actor = 'andrei.avk'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2018-02-20.10:28:53.338>
creator = 'matanya.stroh'
dependencies = []
files = []
hgrepos = []
issue_num = 32884
keywords = []
message_count = 7.0
messages = ['312410', '312520', '312745', '339803', '344784', '375038', '399298']
nosy_count = 9.0
nosy_names = ['steven.daprano', 'r.david.murray', 'jab', 'matanya.stroh', 'stevoisiak', 'remi.lapeyre', 'Jeffrey.Kintscher', 'celal.sahin', 'andrei.avk']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue32884'
versions = ['Python 3.9']

Linked PRs

• gh-77065: Add optional keyword-only argument echo_char for getpass.getpass #130496
• gh-77065: Add argument echo_char for getpass.fallback_getpass #133849
• [3.14] gh-77065: add missing parameter echo_char in getpass.fallback_getpass (GH-133849) #134053
• gh-77065: Use putwch instead of putch in win_getpass #134058
• [3.14] gh-77065: Use putwch instead of putch in getpass.win_getpass (GH-134058) #134059

[MatanyaStroh]

I saw some questions about it in stackoverflow (links below), and also find it very useful to have the ability to print asterisks.
Some users, find it disturbing when they don't have any indication that password is typed, and it will be helpful to have it.

I know that it's have some risks exposing the number of chars to the password, but I think it's worth it.

When using Jupyter (notebook server is 4.3.1) the password does echoed as "*", but not in Python IDE in linux and Windows

1. https://stackoverflow.com/questions/10990998/how-to-have-password-echoed-as-asterisks
2. https://stackoverflow.com/questions/7838564/how-to-read-password-with-echo-in-python-console-program

[MatanyaStroh]

for getpass.win_getpass() it can simply be done by adding this line
msvcrt.putch("*").
So the code will look like:

def win_getpass(prompt='Password: ', stream=None):
    """Prompt for password with echo off, using Windows getch()."""
    if sys.stdin is not sys.__stdin__:
        return fallback_getpass(prompt, stream)

    for c in prompt:
        msvcrt.putwch(c)
    pw = ""
    while 1:
        c = msvcrt.getwch()
        if c == '\r' or c == '\n':
            break
        if c == '\003':
            raise KeyboardInterrupt
        if c == '\b':
            pw = pw[:-1]
        else:
            pw = pw + c
            msvcrt.putch("*") #Line that was added
    msvcrt.putwch('\r')
    msvcrt.putwch('\n')
    return pw

[bitdancer]

getpass is emulating the unix password prompt behavior. I'm not sure if the complication is worth it, especially since not echoing asterisks is, as you observe, fractionally more secure. So I guess I'm about -.5 on this feature.

[stevoisiak]

@matanya.stroh: Don't forget to erase the asterisks if the user hits backspace.

def win_getpass(prompt='Password: ', stream=None, show_asterisks=False):
    """Prompt for password with echo off, using Windows getch()."""
    if sys.stdin is not sys.__stdin__:
        return fallback_getpass(prompt, stream)

    for c in prompt:
        msvcrt.putwch(c)
    pw = ""
    while 1:
        c = msvcrt.getwch()
        if c == '\r' or c == '\n':
            break
        if c == '\003':
            raise KeyboardInterrupt
        if c == '\b':
            if len(pw) > 0:
                pw = pw[:-1]
                msvcrt.putwch('\b')
                msvcrt.putwch(' ')
                msvcrt.putwch('\b')
        else:
            pw = pw + c
            if show_asterisks:
                msvcrt.putwch('*')
    msvcrt.putwch('\r')
    msvcrt.putwch('\n')
    return pw

Alternatively, could let the user define the masking character, similar to Tkinter's Entry widget.

def win_getpass(prompt='Password: ', stream=None, mask=''):
    """Prompt for password with echo off, using Windows getch()."""
    if sys.stdin is not sys.__stdin__:
        return fallback_getpass(prompt, stream)
    if len(mask) > 1:
        raise TypeError('mask argument must be a zero- or one-character str')

    for c in prompt:
        msvcrt.putwch(c)
    pw = ""
    while 1:
        c = msvcrt.getwch()
        if c == '\r' or c == '\n':
            break
        if c == '\003':
            raise KeyboardInterrupt
        if c == '\b':
            if len(pw) > 0:
                pw = pw[:-1]
                msvcrt.putwch('\b')
                msvcrt.putwch(' ')
                msvcrt.putwch('\b')
        else:
            pw = pw + c
            if mask:
                msvcrt.putwch(mask)
    msvcrt.putwch('\r')
    msvcrt.putwch('\n')
    return pw

I'm in favor of supporting masking. While it does reveal the password length, it's an accessibility feature many users have come to expect.

I'd rather have this in the standard library than have developers implement their own custom, potentially insecure methods for password input.

[stevendaprano]

See also bpo-36566. (Thanks Cheryl.)

I think the usability improvement for this far outweigh the decrease in security.

The days where somebody looking over your shoulder watching you type your password was the major threat are long gone. Hiding the length of the password against a shoulder-surfing adversary is so-1970s :-)

For old-school Unix types we ought to default to hiding the password. But I'm +1 in allowing developers to choose to trade off a tiny decrease in security against a major increase in usability.

The bottom line is that if you have a weak password, hiding the length won't save you; if you have a strong password, hiding the length doesn't add any appreciable difficulty to the attacker.

[websurfer5]

This is easy to implement for Windows (as shown), but the unix implementation uses io.TextIOWrapper.readline() to get the password input. The unix implementation would have to be rewritten to provide the same functionality.

[akulakov]

Unfortunately modern laptop keyboards have almost no key travel and barely any tactile feedback [*]. Users on such keyboards really do need feedback for each key pressed. Not providing an option for such feedback is in effect forcing users to choose maximally weak password.

[*] worse, a large proportion of MBP keyboards produced in the last few years have the notoriously bad 'butterfly' key design that occasionally duplicates and swallows keypresses. Yes, a trillion dollar company can't make a functional keyboard.