However, if you are going to use terminal emulation in emacs, you have to be careful around "sudo" prompts, and when logging into other servers using ssh, because the last 300 keystrokes you have typed in emacs are available using C-h l, a help function in emacs which displays the last keypresses you have typed.

C-h l runs the command view-lossage, which is an interactive compiled
Lisp function in `help.el'.

It is bound to C-h l, <help> l.

(view-lossage)

Display last 300 input keystrokes.

Let's say my password is "sup3r-seekrit#7".

I open an emacs terminal using M-x multi-term, then do the following

[~] $ ssh rlm@linerva.mit.edu
Password: 

Welcome to Linerva, the SIPB Linux dialup for MIT.
Linerva runs Debathena on Debian squeeze.
 http://linerva.mit.edu                           for more information
 blanche linerva-announce -a $USER          # for outage announcements
 linerva@mit.edu              (not IS&T) for questions and bug reports

Last login: Mon Mar  4 12:53:23 2013 from ella.csail.mit.edu
rlm@dr-wily:~$ exit
logout
Connection to linerva.mit.edu closed.

Now, when I type C-h l, I can see this:

s s h SPC r l m @ l i n e r v a . m i t . e d u <return>
s u p 3 r - s e e k r i t # 7 <return> e x i t C-h l

Needless to say, this can be a security vulnerability.

• If you don't ever type your password into an emacs terminal buffer, then you are not at risk. This can be accomplished by using ssh keyfiles or Kerberos for connecting to remote servers, and by enabling passwordless sudo.
• You can disable emacs keylogging, though you then won't be able to use the view-lossage command anymore.
• If there's no way for an attacker to get into your emacs process, then your passwords are safe. Still, you run the risk of someone physically near your computer using this method to view your password, as well as inadvertently exposing your password when showing someone what view-lossage does!

• This org file