RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v6]

[Weijun Wang]

On Fri, 26 Sep 2025 13:47:36 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   add a warning for non-console interactive UI
>
> src/java.base/share/classes/sun/security/util/Password.java line 77:
> 
>> 75:                     // will be silently consumed without echoing to the screen.
>> 76:                     System.err.print("[Warning: Console not available." +
>> 77:                             " The entered password might be echoed.] ");
> 
> s/might/may/
> 
> I wonder if "echoed" is generally understood by most users. Should we be more clear and say something like " The password entered may be visible on the screen"?
> 
> Also, consider putting "Warning" in all caps to make it more significant. Also consider breaking into 2 lines, so the second part is not at the end of a long line, ex:
> 
> WARNING: Console not available
> WARNING: The password entered may be visible on the screen

This text appears after the prompt (which is printed by the caller) and I deliberately make it short so everything is still on the same line.

Enter keystore password:  [Warning: Console not available. The entered password might be echoed.] password

Shall I just change "echoed" to "visible"? I'm OK with "WARNING".

*Update*: Maybe there is no need to say "Console not available"?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2382906867