Python 3.4, Tkinter – Double clicking reveals the length of masked phrases

I’m messing around with Tkinter since I’d like to get back into non-web-based development and the Python/Tkinter combination looks promising.

Many of the documents I’ve seen suggest you can use an Entry box for inputting passwords and such if you apply a “show = ‘*'” argument to its creation. This effectively masks out all the inputted characters and display asterisks like we’ve all come to expect.

One thing I’m finding is this– suppose you create a masked password entry field and your password is “laputan machine.” If you enter it into the field, you’ll see “***************” (as one would expect).

However, if you double click on the right half of that string of asterisks, it will only highlight the last 7 asterisks (those pertaining to the word “machine”).

Thus, without any prior knowledge we can deduce that the passphrase consists of at least one space, 2 words, the last of which is 7 characters in length.

I’m not sure how something like this could be exploited in the wild but it seems to me a masked password field certainly should not behave this way. Thankfully copying and pasting the string in question yields only the masked string.

Leave a Reply