Eye symbol not shown when "show password placeholders" is enabled

[droidmonkey]

Originally reported by @kunszabo

Summary

The presence/absence of the "reveal content" eye button before the fields gives out information about the given field being empty or having a content, even when the content is only displayed as placeholder dots.

Details

On the General tab of a displayed entry the "reveal content" eye button is not shown before an empty user name or password field.
This gives out a clue about the current value when the "/View/Hide Usernames" and "/View/Hide Passwords" settings are turned on:

no eye button + placeholder dots = empty field
clickable eye button + placeholder dots = some non-empty data
If the "reveal content" eye button is displayed for empty fields, too, then this small info leak will be prevented.

PoC

Turn on "/View/Hide Usernames" and "/View/Hide Passwords".
Enable "Use placeholder for empty password fields" in Security settings tab.
Enable "Hide passwords" in the entry preview panel" in Security settings tab.
Create a new entry with no user name and no password, and select this item in the list on the main panel.
Effect: the entry preview panel will show the user name and password fields without a preceding "reveal content" eye button.

Edit the entry and enter some non-empty content to the user name and password fields, and save the entry.
Effect: the preview panel changes; there is now a clickable "reveal content" eye button in front of the user name and password fields.

Impact

If someone can see the preview panel or hear the voice of a screen reader, they will know if the given fields are empty or not, even if the placeholder dots are displayed instead of the real content.
The impact is probably negligible, it does not allow the retrieval of any non-empty information, and exploiting it requires physical presence, but I still think that this should be fixed, especially because the fix seems to be trivial.

Checked on MS Windows only, with KeepassXC version 2.7.8

[phoerious]

I think we should just remove the setting and always display bullet points and the eye button.

[droidmonkey]

Oh no, I hate showing bullets when nothing is there

[phoerious]

We already show a fixed number of bullets regardless of how long the password actually is. If you follow that logic, you should do the same if the length is 0.

[droidmonkey]

It's my way of knowing if there is actually a password or not. I know that's a workflow for many others as well.

[phoerious]

Well, then we should at least fix the button inconsistency.