Well does it? If I would be able to break SHA2 and make myself rich with it, I would need to be sure that nobody would find out, that Bitcoin can be manipulated. The second anyone is aware, I wouldn't be rich anymore.
Wouldn't that be the play, though? Get a buttload of bitcoin, turn it into real money, then destroy bitcoin. If you found a break in bitcoin you wouldn't rely on keeping your wealth in bitcoin and then hoping nobody else discovers it.
While I would have the same reaction, in this case I think it is a sane decision. Ente is cornering the privacy market and I think they're doing a great job. They have a lot to lose (trust) and it would be stupid if they did something shady with the data entered in the 2FA app.
Not knowing them, how could OP trust them instantly? Whether they really have that trust or not, you have to know them for a while and from many different trustable sources. The story is a bit strange.
I remember watching the cornetto trilogy ( https://en.wikipedia.org/wiki/Three_Flavours_Cornetto ) and always wondering why on earth they fill up the glasses up to the brim. It is uncomfortable to transport this way and not spill beer.
When CAMRA was new in the early 1970s, they started a campaign for oversize glasses holding a pint to the line instead of a pint to the rim, so that there would be space for a pint of liquid and a head in the glass. The big breweries hated this idea and mounted a reactionary campaign arguing things like it would be too expensive to replace all the glasses, or serve customers the full measure they had paid for. (My father was a new recruit at Guinness and sadly one of his early tasks was the pint-to-brim campaign.)
I no longer drink in pubs but in my neck of the woods, the pubs that specialised in cask ale often had lined glasses.
The problem was that many people insisted on the glass being filled to the brim, because they felt they were being short changed. So it solved one problem but created another.
Just a follow up: I wrote nexi germany via some contact form, that I will avoid using their services because of that story. They called me back and told me, that they asked the fsfe for a test account only. They also made an internal investigation, if someone asked for passwords of real accounts, which is a clear no-go for them.
Because you long forgot how confusing it was, that you can't see if your keystrokes are accepted by the machine. This is a change for people, that are new to Linux/Unix
Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.
It's something that is confusing exactly once for a few seconds. It is at the bottom of the list of UX problems for either Linux or non-Linux systems.
Alternatively, if it's confusing, you shouldn't be doing whatever it is you're doing with sudo because you copy pasted a command from God knows where with zero understanding.
I also think it is a good decision.
Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact.
It is still a good decision, an one character password is useless from a security standpoint.
I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.
Drats, you're right. I thought it'd be worse, but the ratio seems to only depend on the number of letters in your character set: 1/count(letters in alphabet).
For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.
Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)
I’ve occasionally contemplated using some non-ASCII character like • or š in a password, but have backed off for fear of needing access from a device that doesn’t support input of those characters.
When the IME inserts the character, it'll be made up of multiple bytes because of the nature of UTF-8, so it may appear as multiple asterisks regardless.
Most software, traditional sudo included, would respect the LC_CTYPE being set to an UTF-8 (or any of the older multi-byte encodings), and do proper character counting.
At the very least, all GNU tools put a lot of focus on localization support, and I hope sudo-rs is the same.
Having LC_CTYPE bit set to utf8 would be my worry. Would suck to not be able to logging because the LC* lang changed.
Hmmm, hopefully sudo-rs respects LC* env vars. I recall reading a few years back that some Rust Unix tools skipped that and won big on benchmarks until folks realized they weren’t handling NC localization properly.
It could also give useful priors for targeted attacks, "Their password is 5 characters, and their daughters name is also 5 characters, let's try variations of that".
Some system accessible to hackers who can see the length of the password /and/ having a single 5 char password has a security of a key under a doormat.
I have access to the ChatGPT account of my boss and it is unusable sycophancy slop, horrible to read because every information is buried under endless emojis and the like. And it is almost indistinguishable if the LLM is wrong or right, every answer looks the same, often with a "my final answer" at the end. It's a mess.
I'm using Claude Opus 4.6 and it is much calmer, or "professional" in tone and much more information and almost no fluff.
150m page views a month is peanuts and very far away from the "social" networks numbers. I don't have those numbers, but I know how many page views we had 2011 while running a german browser game community.
The internet seems to have grown massively within the past couple years (unfortunately, almost certainly because of bots). I bet the number today is orders of magnitude higher.
reply