Comments on: Chroma Hash: Interesting visualization of your password

By: MattMcNamara

MattMcNamara — Sat, 15 Aug 2009 02:48:18 +0000

Sorry to join this conversation late, but this is actually a really good idea – but I would salt the MD5 Hash as that would prevent the issue of rainbow tables that someone was mentioning.

This concept of visual confirmation is used in a lot of random places, and I would agree that a lot of people don’t actually understand what’s going on until they get it wrong. On the login for Lotus Notes, for example, 4 random pictures iterate through as you type your password. I was in the room with someone who typed their password and said out loud “oh wait, no, that’s supposed to be in the top corner” and so they deleted their password and tried again.

This is far superior than “show password”, which is not only visually unsafe (onlookers, screen snoops), but requires user interaction from the end user. Chroma-Hash is passive, and I think a really good solution.

By: Schorsch

Schorsch — Fri, 31 Jul 2009 20:43:06 +0000

I went for “show password” switch on my current project. This one looks interesting but i guess it would need an explanation for normal users.

By: zachstronaut

zachstronaut — Thu, 30 Jul 2009 14:22:53 +0000

The internet is full of advice, good and bad. You have to always consider the source. And I’d be especially aware of the source for anything that has to do with passwords or security.

It’s neat that people are exploring the authentication space. I think it is important that people do that. However, I’d caution people against implementing anything that isn’t battled tested and expert approved when it comes to matters of security.

By: Stakka

Stakka — Thu, 30 Jul 2009 14:15:19 +0000

As frenchStudent said: Why not just print “Match” somewhere instead? The colorbars just worsen usability and security.

By: WillPeavy

WillPeavy — Thu, 30 Jul 2009 13:54:44 +0000

Personally I use this: http://userscripts.org/scripts/show/13720

A checkbox that toggles the type attribute (mentioned by cancelbubble) works well.

By: Eeeli

Eeeli — Thu, 30 Jul 2009 09:25:18 +0000

I love the elegant and simply code. very clean and neat looking.

frenchStudent: I think the location of the color stripes is not the best, if you’d create a visual connection between the two color stripes, actually connection them one to another, the bottom of the top one touching the top of the bottom one, you’d get a one continuous color stripe, and that could perhaps make things easier for first timers to understand what it stands for.

I too seeing it first time (without reading the description) was sure that this is strength indicator.

As to pmontrasio’s comment,
yeap, you’re right, with the current implementation that the colors change every time you type in a letter, you could very quickly discover the hash that was used, even if used with foreign letters.
I’d add a random string for every page load to be added to the final hash of the password.
That way it would be extremely hard to decrypt the hash.

Even the same password won’t look the same after reloading the page, but no one will notice this…

By: pmontrasio

pmontrasio — Thu, 30 Jul 2009 07:52:51 +0000

This weakens password security but as long as people’s eyes can’t measure 24-bit RGB values on the screen the problem is not significant. However a camera could do the trick, maybe with some color calibration algorithm based on the measured RGB from well known areas of the screen such as white windows backgrounds. Given the RGB values (or a small range of values) a rainbow table lookup will find the password candidates in a common password database quite quickly. If your password is very uncommon you’re probably safe, but you’re also likely to remember it well and have little problem typing it.

Letting people see the clear text password is obviously much worse and IMHO should be done only for webapps with very low security requirements.

By: cancelbubble

cancelbubble — Thu, 30 Jul 2009 02:09:49 +0000

I recently finished up a project for Cisco WebEx where I implemented a “show password” feature using jQuery. It was a “show password” checkbox next to the password field that, when clicked, would turn asterisks into clear text and back. For example:

**********
would switch to the clear text string they entered:
mypassword

When unchecked it would do the opposite:

mypassword
clear text switched to asterisks
**********

By: frenchStudent

frenchStudent — Thu, 30 Jul 2009 00:26:35 +0000

Some people will think it is related to the password’s strength.
What about a simple “match” indication next to the second password input when the values matches the first one?