Re: [hackers] [slock][PATCH] Reset color to INIT on Escape key press
Thomas wrote: > Wouldn't it be more consistent if setting failonclear to false also caused > slock not to fail on "escape"? After all, if you don't press "return", there's > been no guess. Heyho Thomas, that is exactly the behaviour on "failonclear == false". It will only set the screen to the fail color, if there was a failed login attempt (pressing return at least once). Due to the mentioned security intentions there is no way to reset the failed state. If you don't want this feature at all, you can just set the failed color to black as well. > Anyhow... I didn't search through the list archives; if we're revisiting this, > feel free to drop it (with my apologies). There has been a discussion about the failonclear feature a few months ago, if you want to search for it. --Markus
Re: [hackers] [slock][PATCH] Reset color to INIT on Escape key press
I just noticed that is indeed the current behaviour. That works for me. I'll just hit "esc" instead of "return" after I bang on the keyboard. Sorry for the noise. Mon, Apr 04, 2016 at 05:36:18AM -0300, Thomas: > Wouldn't it be more consistent if setting failonclear to false also > caused slock not to fail on "escape"? After all, if you don't press > "return", there's been no guess. That would appease my OCD. As it > stands, failonclear is not good enough, because you have to erase letter > by letter.
Re: [hackers] [slock][PATCH] Reset color to INIT on Escape key press
Mon, Apr 04, 2016 at 07:20:33PM +1200, David Phillips: > The main reason for the inclusion of the 'fail on clear' behaviour was so that > you could see if anyone tampered with the computer while it was locked: I reckoned that was the reason for the behaviour. My problem is that I am used to banging a little on the keyboard and hitting "return" before leaving my desk, to make sure it's locked (the monitor sleeps a little earlier). Ever since the change, it's been bothering me that the monitor doesn't turn off the panel whenever I do that (because the screen isn't black). If I *don't* do the banging, then it's even less secure than not knowing about the failed guesses. > Please note also that pressing backspace to empty the input buffer will result > in the failure colour being shown even though this "isn't really a failure" > either :) > > In order to get the behaviour you're after, is there a problem with simply > setting failonclear to False in config.h? I understand the behaviour isn't > identical to your patch, but the "security" is the same. With this patch > applied, if Mallory failed to guess your password, he can just press Esc and > you're none the wiser. Wouldn't it be more consistent if setting failonclear to false also caused slock not to fail on "escape"? After all, if you don't press "return", there's been no guess. That would appease my OCD. As it stands, failonclear is not good enough, because you have to erase letter by letter. I once thought about adding little dots on top of the INPUT or INIT screen, to show how many failed attempts there's been. But it struck me as sucking too much for slock. Anyhow... I didn't search through the list archives; if we're revisiting this, feel free to drop it (with my apologies). Thomas
Re: [hackers] [slock][PATCH] Reset color to INIT on Escape key press
On Mon, Apr 04, 2016 at 02:46:18AM -0300, Thomas wrote: > Also makes sense because pushing Esc isn't really a failure, but a > purposefully aborted unlock attempt, so the background shouldn't be set > to FAILURE. The main reason for the inclusion of the 'fail on clear' behaviour was so that you could see if anyone tampered with the computer while it was locked: "while I was out getting a cup of tea, did I hear someone typing on my keyboard or was it just the paranoia pixies?" This is a common problem for users of slock. Fail on clear addressed the issue. Please note also that pressing backspace to empty the input buffer will result in the failure colour being shown even though this "isn't really a failure" either :) In order to get the behaviour you're after, is there a problem with simply setting failonclear to False in config.h? I understand the behaviour isn't identical to your patch, but the "security" is the same. With this patch applied, if Mallory failed to guess your password, he can just press Esc and you're none the wiser. > (Note: let me know if you prefer to pull from Github, I'm new to the > list.) Email+patch is the way to go. signature.asc Description: PGP signature
