Mon, Apr 04, 2016 at 07:20:33PM +1200, David Phillips: > The main reason for the inclusion of the 'fail on clear' behaviour was so that > you could see if anyone tampered with the computer while it was locked:
I reckoned that was the reason for the behaviour. My problem is that I am used to banging a little on the keyboard and hitting "return" before leaving my desk, to make sure it's locked (the monitor sleeps a little earlier). Ever since the change, it's been bothering me that the monitor doesn't turn off the panel whenever I do that (because the screen isn't black). If I *don't* do the banging, then it's even less secure than not knowing about the failed guesses. > Please note also that pressing backspace to empty the input buffer will result > in the failure colour being shown even though this "isn't really a failure" > either :) > > In order to get the behaviour you're after, is there a problem with simply > setting failonclear to False in config.h? I understand the behaviour isn't > identical to your patch, but the "security" is the same. With this patch > applied, if Mallory failed to guess your password, he can just press Esc and > you're none the wiser. Wouldn't it be more consistent if setting failonclear to false also caused slock not to fail on "escape"? After all, if you don't press "return", there's been no guess. That would appease my OCD. As it stands, failonclear is not good enough, because you have to erase letter by letter. I once thought about adding little dots on top of the INPUT or INIT screen, to show how many failed attempts there's been. But it struck me as sucking too much for slock. Anyhow... I didn't search through the list archives; if we're revisiting this, feel free to drop it (with my apologies). Thomas
