Hi gurus,

In a (korn)-script the following line is put

" echo "password: "; read INPUT; if [ "" != "$INPUT" ]; then PASS=$INPUT; fi "

My aim is to hide the characters typed in on the screen as it will show ones password ;D, how to achieve this please?


Looking forward to hearing from you.

In a terminal, you can use stty to turn off echoing. Just remember to turn it on again afterwards.

Cheers for your response - so having a korn script with these lines how to implement it properly

echo "login name: "; read INPUT; if [ "" != "$INPUT" ]; then LOGIN=$INPUT; fi # this input needs to be shown on terminal
echo "password: "; read INPUT; if [ "" != "$INPUT" ]; then PASS=$INPUT; fi # input needs to be replaced with '*' on terminal

Oh, I think ksh doesn't support the -p option to read, but that's just a nicety of bash - you can simply echo the prompt, although you should send it to stderr to prevent line buffering fro hiding it until after the function completes.

cheers again but I am a little lost in the dark...

./script_test.sh

login name:
jdoe

enter a password:
password:
p1 is nostar
p2 is noway

Look at this post and see if it works for you. Change the interpreter from bash to ksh and strip out the -p option from the read statement, since it is not supported by ksh (as matthewg42 already pointed out) or better it has a different behaviour. For example you can substitute:
with

Stars no. Removing echo - yes.

Stars are a bad idea anyhow - some shoulder surfer who sneaks a peak at your fingers as you type can get extra information by counting how many characters you typed by looking as the asterisks, to validate when he thinks you typed - why give them that extra information?

The only use for asterisks which I can think of is where the password is a fixed length pin and the keys do not provide good tactile feedback - e.g. an ATM. For regular computer passwords, I think they are not a good idea.

Furthermore, AFAIK the shell doesn't provide a mechanism to do this - you can't detect raw key presses because the shell is line buffered. Either the terminal echos the typed input, or it does not.

You could write a small program to get the password with some language which direct character access to the keyboard.

A trained eye behind your shoulder could read the password from your key presses!

That reminds me of something I saw a long time ago. A Lotus Notes installation at a place I once worked did something strange when users entered their passwords... It displayed four little graphics. No asterisks, but instead these little graphics in the four corners of the password entry box.

The choice of these icons seemed somehow deterministic - with the correct password, the same icons would always be visible at the end of the entry.

Does anyone know the rationale behind this? I assumed it was some sort of confirmation that user has not fat-fingered their password, but it seems like a silly idea to me.... It occurred to me that if the icons displayed were somehow deterministic based on the entry so far, wouldn't a simple video recording of the screen as the password was entered allow an attacker to verify each keypress?

Weird!