When typing a secret keyword into Getpass, a little jdenticon is showing on the right, based on the secret that was entered. The FAQ on Getpass states the following about it :
Did you notice that secret keyword is obscured? If yes, than this is a way to visually represent a hash of your Secret Keyword, based on jdenticon library. This is the way to ensure that your Secret Keyword is typed correctly, without revealing the actual letters you have typed.
Doesn’t that completely defy the purpose of obscured fields in applications ?
I get that the generated icon is based on a hash, so it’s not reversible. But this still provides direct information about the password. Such information would be completely obscured if the artwork was absent.
For example, if I know the artwork of an horrible password, like ‘password123’, shoulder-surfing my colleague when they’re typing their password on this page would already tell me that their password is/isn’t ‘password123’. This wouldn’t happen if the artwork was absent.
Am I paranoid ? Is this something that can safely be done ?