<table><tr><td style="">graesslin added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D9040" rel="noreferrer">View Revision</a></tr></table><br /><div><div><blockquote style="border-left: 3px solid #8C98B8;
color: #6B748C;
font-style: italic;
margin: 4px 0 12px 0;
padding: 8px 12px;
background-color: #F8F9FC;">
<div style="font-style: normal;
padding-bottom: 4px;">In <a href="https://phabricator.kde.org/D9040#173465" style="background-color: #e7e7e7;
border-color: #e7e7e7;
border-radius: 3px;
padding: 0 4px;
font-weight: bold;
color: black;text-decoration: none;" rel="noreferrer">D9040#173465</a>, <a href="https://phabricator.kde.org/p/ngraham/" style="
border-color: #f1f7ff;
color: #19558d;
background-color: #f1f7ff;
border: 1px solid transparent;
border-radius: 3px;
font-weight: bold;
padding: 0 4px;" rel="noreferrer">@ngraham</a> wrote:</div>
<div style="margin: 0;
padding: 0;
border: 0;
color: rgb(107, 116, 140);"><p>On most touch platforms, only the last character in password prompts is revealed, one-at-a-time. It might make more sense to implement that than to keep the reveal button.</p></div>
</blockquote>
<p>On touch platforms: yes, but this is hybrid. Do you want your password being revealed on a big screen when entering with keyboard? Probably not. Thus the reveal button is a better solution than reveal while typing in this case.</p>
<p>People here know that I'm a security fanatic. And I honestly fail to see the issue with the button. Yes, if you enter half your password and move away someone else could reveal your password. Similar if you mistype and move away someone could see your password. This is a highly unrealistic scenario and doesn't allow to get the real password. It's only a problem if you use a password like 08041985 (my birthday) and someone would know that 09041985 has an obvious error. If you use such kind of password it doesn't matter at all: your friends will be able to break it.</p>
<p>Yes I see the concerns, but just because there are concerns means we need to destroy the usability here. Security and usability are always in conflict with each other and one needs to find the right level. Sometimes the security should win, sometimes the usability. In this case usability should win. If there are valid security concerns we should address them. I could imagine:</p>
<ul class="remarkup-list">
<li class="remarkup-list-item">show info that the password got revealed</li>
<li class="remarkup-list-item">clear the text fields after certain amount of inactivity</li>
<li class="remarkup-list-item">clear the text field after incorrect password</li>
<li class="remarkup-list-item">make button not clickable, but only on touch (might not work on X, but heck)</li>
</ul></div></div><br /><div><strong>REPOSITORY</strong><div><div>R120 Plasma Workspace</div></div></div><br /><div><strong>BRANCH</strong><div><div>master</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D9040" rel="noreferrer">https://phabricator.kde.org/D9040</a></div></div><br /><div><strong>To: </strong>davidedmundson, broulik<br /><strong>Cc: </strong>graesslin, ngraham, broulik, plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart<br /></div>