Shoulder surfing for passwords is a tiny concern compared to how much these measures hurt ux. I am happy that the current trend is now to also let the user toggle off the * to see what you actually typed.

I don't know if these were added but to match security of other graphical password fields after submitting the password the terminal should clear the starts and while the password is being inputted it should protect the window so it can not be screen recorded.

I recently started using Linux again, and decided to try and fix some of its more ancient and silly UX paper cuts. This is my first success!

My attempt to fix the annoying and unnecessary 2 second delay when you mistype your password is going rather less well: https://github.com/linux-pam/linux-pam/pull/789

Does anyone want to rewrite PAM in Rust? :D