Why the disk encryption phrase has the option of ‘f1’ to hide the bullets

This is minor, but can someone clarify for me why the disk encryption phrase has the option of ‘f1’ to hide the bullets?

I’m just curious what security benefit this gives, as any threat of visual collection of the number of characters is obviously nullified by the fact that you are typing the pasword in plain view. Is this an aesthetic choice?

I’ll also note I had an issue with pulseaudio idling and causing audio issues, which a friendly user helped me solve and that is in this thread: Qubes 4.2 audio issues - Need to reset audio output for each new Qube audio use - #3 by KarlinQubes

I disagree with this. If you are not recorded with a camera, another person will hardly be able to count how many keys you have pressed, especially if you have many and you do it quickly.

Also, this is not Qubes-specific, since this prompt comes from Fedora that runs in dom0.

Moved to a new topic, as this was not very relevant to R4.2rc1 release

I had only noticed this on the new Qubes 4.2 so I assumed it was something Qubes pushed themselves.

I suppose it makes sense as having a strong sense of the number of characters makes brute-forcing easier, but it still does strike me as being of marginal value. If you are close enough to observe the number of characters in bullet form when someone is typing fast and yet aren’t recording but ARE enough of a threat to access the machine and brute force it later, that really didn’t strike me as an obvious thing to need a counter for.

Feel free to close this thread I just wanted to know the purpose of this, and didn’t realize it was from fedora and not a qubes-specific change.

Perhaps you are right. But it also does not make a large decrease in convenience, does it?

We do not close threads on this forum. Users can always find some additional relevant questions about the topic. Also, it’s relevant for the security of Qubes more or less.

I guess it’s new in Fedora 37, which runs in dom0 in Qubes 4.2.

No I agree, I even use it when there is no legitimate need lol. I’m all for user choice and small increments of security gained. So I am not upset by it, I was just struggling initially to understand the reason and was hoping there was something a little deeper.

Thanks for clarifying.

Since I am not a developer, you should take my guesses with a grain of salt. There still might be something deeper, which I don’t know about.

If there IS an issue with people counting characters by looking at the dots in the password field, this can be overcome by having a password longer than the field is wide. Once it’s full of dots, you see no change for additional characters.

(For those things I use often enough to not need keepass, I tend to use pass phrases, which, since they are not random, should be longer than random strings. Even long passphrases are a lot easier to remember.)

1 Like

Over time I have got a lot better at remembering long passphrases with a variety of characters and symbols, as many as 35.

What I tend to do is take randomly generated complex passwords and find strings within them that I can make some kind of narrative about, then stitch those together in to my passphrase and I can kind of ‘recite’ a narrative that the characters represent which helps retention.

All of the characters & symbols are completely random, but I can recite a kind of ‘mantra’ that helps me retain them all with great accuracy.

The more I’ve done this, the easier it has become. I can remember old long complex passwords that I haven’t used in at least a year just because of that narrative style, but again all random characters and symbols.

This is off-topic and I will leave it here.