Keyboard input into a locked XFCE with display in sleep mode
Set screensaver to 19 minutes and autolock 1 minute after screensaver in Settings-screensaver, and in Settings->Power manager set display to blank after 15 minutes and sleep after 20 minutes. Disable other power saving options, i.e. putting the PC to sleep. This basically makes the PC lock itself and put the display to sleep in about 20 minutes of inactivity.
Open and switch focus to any text editor, i.e. mousepad.
Wait approx. 21 minutes without touching mouse or keyboard until the computer locks the session and monitor goes to sleep (you may want to adjust the above settings to make this faster, but this is how I have my PC set up). The PC is still fully operational, only the display is in sleep mode.
While the the monitor led is still blinking (i.e. sleep state), start typing anything (i.e. your password) on the keyboard.
This will bring the screen back on from sleep state and show your username and password prompt, however, only some of the letters you pressed are in the password line. After you enter the password and login into the system, you will see the first keys you pressed while the screen was off in the still open text editor window (i.e. the first letters of the password).
That means there is a brief moment before the password prompt is engaged, when keyboard input is passed through to the GUI on a LOCKED computer. That seems to be a huge security hole.