Hot on the heels of HalfMask is another password hashing experiment, HashMask.
HashMask is another experiment in the middle ground between fully masked passwords (with bullets) and clear passwords. It uses visualizations of a password along with one way hashing to create memorable images that the user can use to confirm they typed the correct password.
Feedback on HashMask is greatly appreciated – please leave it in the comments or email me at chrisd@arc90.com!
Eitan Konigsburg Said:
I also like this better than HalfMask. I think this is an improvement and a unique concept.
One caveat: in the case where someone was able to glance at the keyboard while the password was typed and then tried to remember the hash pattern that appeared on screen, it might make it easier to guess the password without having to submit the form. Since the pattern is generated without a submission, it bypasses the usual “try a few times and then lock out for a period of time” safeguard.
Is there any way to “fudge” the hash after 3 incorrect generated patterns? A user probably won’t type their password incorrectly more than 3 times in a row, so if you pass a certain threshold, INTENTIONALLY make the pattern incorrect thereby nullifying guessers? A user who messes up more than 3 times would have to know this was happening and then refresh to try again, which might be a usability issue. Thoughts?
Michael Said:
Why not have the username + password display an Identicon/Wavatar/MonsterId/whatever? Much easier to recognize while still offering obscurity.
Matt Said:
I like this better than HalfMask.
While I think that Eitan’s suggestion of scrambling the sparkline is well-intentioned, the security improvement of that would have to be balanced against the confusion caused to the honest person trying to remember their password by trying several variations — I know that for rarely-visited sites I often need three or more tries to puzzle out which variation on my scheme I used for that site, and deliberately providing misleading info could really mess up my attempts.
An alternative could be to stop offering the sparkline (with an explanation) after a certain number of attempts, which would at least be nicer to your hapless honest user.
Matt Said:
One more thought…
In a lowish-security environment, this could be the germ of a password reminder system — you could get an image of the sparkline emailed to you as a reminder, since for an uncommonly visited site you might not remember the shape (particularly if this was widely implemented).
Hevran Said:
Unfortunately, Eitan’s idea is unfeasible. Since there is no submission, the script won’t know how namy times the user typed a password – it regenerates the image after pause in typing. This can be avoided by not counting number of tries, but time ellapsed. However, the real problem is that the attacker can modify the script at will, and make it always display the correct image.
Eitan Konigsburg Said:
Matt and Hevran, I think both of you are correct. Thanks for the critiques.
Hevran makes a good point about an attacker being able to modify the script. I think that this nullifies my proposed solution. But is my original question still valid? Doesn’t a visual indicator give an attacker instant verification of success since it bypasses any server safeguards? Is this really a problem and if so, any ideas for a solution?
I think my issue is really that passwords in general are a poor security device. But since we have to live with them for the time being, I think HashMask is a useful leap forward in fixing the UI problems of password fields. I just wanted to reiterate that point, since my question is really about whether this adds (or changes) a level of security of typing passwords, while HashMask really seems to be aimed at fixing the usability problems of password masking (at which I think it succeeds – nice job, Chris).
Chris Dary Said:
Thanks Eitan,
A possible solution of the visual indicator being an instant verification of success problem may be lower fidelity in the image. If for example, there were only 100 different possible images, the user would still be able to confirm his password accurately almost all of the time, but an attackers’ search set would only be reduced by a factor of 100, which while it sounds like a lot is really not as much as it sounds when we’re talking about brute force.
David Teirney Said:
What about just using a color rather than the sparkline? When testing, each time I changed a character the color changed quite dramatically.
I personally found the color more useful than the shape. Granted I’m not color blind though… Perhaps the hash just gives a position in the color spectrum?
Phil (Instine) Said:
I may be a minority, but as someone with an excellent visual memory, but appauling sequential memory, I love this!
I’m also colour blind, so would argue against using colour only.
You will find many dyslexic users are like me. That’s just one group, which accounts for around 10%+ of the population. There will be more I’m sure.
Tonda Crha Said:
Hi.
Iam really excited about this concept!
I dont think there is security problem.
The picture is based on sha1 hash of password.
So I think there is no need to be worry about higher possibility of succesfull brutal force attack.
Because even if attacker will be able to get the original sha1 from this little picture (or direct from script), there is still need to break this hash.
So maybe it can use stronger hash in the future and Iam OK with security of this script.
Users can use stronger passwords while using this gadget – so – no need to be worry about succesfull hash break.
But Iam not security proffesional…
Tonda
Matthias Said:
Hey,
I really like your idea. It’s simply smart. Looking for the further development.
Cheers
Matthias
Eitan K Said:
Saw this on Ajaxian today:
http://mattt.github.com/Chroma-Hash/
http://ajaxian.com/archives/chroma-hash-interesting-visualization-of-your-password
Tilex Said:
i don’t know how the image is created, but i suggest, that it should be created only with a part of the hash, so an image can never be uniquly assigned with one single hash.
that adds a few points in security.
i don’ know much about that sha1, but I heard, that similar hashes had been reversed with pre-computed tables.
Bruno Caimar Said:
Hey,
I love this idea. I’ve just adapt it in a Greasemonkey script to use with Firefox over the web.
If anyone are interested in that it is published in UserScripts.Org. Here is the link http://userscripts.org/scripts/show/61346
Cheers,
Bruno Caimar
Carl Joseph Said:
I hate to drag up old technology, but Lotus Notes has been doing this for quite a while. The password prompt displays a random number of Xs for each keystroke and also provides some “hieroglyphics” alongside. Here is an animated example: http://www.codinghorror.com/blog/images/lotus-notes-login-dialog-animated.gif
The hieroglyphics act as a subconscious check that you’re typing your password correctly. Similar to the hash visualisation used by HashMask.
This is a nice idea and I hope it becomes a standard feature in browsers.
Peter Capek Said:
I saw the description of HashMask and was going to comment here about Lotus Notes’ similar idea, but I see Carl Joseph has beaten me to it. I no longer use Notes, but during the time that I did (several years), I never found these hieroglyphics very helpful. Perhaps they provide some feedback to a few users, but everyone I ever discussed it with ignored them. I’m almost certain that IBM/Lotus has a patent on this idea, but I don’t know how broad the claims are. Inventor is probably Ray Ozzie.
Luis Said:
Hi,
I use Lotus Notes 8 and the feedback is no longer hieroglyphs but just random icons. It is extremely helpful because I know whenever I am typing a wrong password before hitting enter.
Too bad it is not used anywhere else…
Luis.
David Leppik Said:
Have you considered using Chernoff faces instead of sparklines? They are a good visualization technique for making random numbers memorable. Examples:
http://mathworld.wolfram.com/ChernoffFace.html
Another thing to keep in mind is that the password is typed in a predictable order, so you leak information as you type. In particular, the first sparkline probably gives away the first character.
If I were to re-implement this idea, I’d do the following:
1. No feedback for the first 4-6 characters.
2. Limit the hash size to limit the data leak. Following up on another commenter, I might limit the hash space to around 100 images. Or I might make it a fraction of the number of characters.
3. Use Chernoff faces or some other image source that human brains are really good at recognizing.
4. Keep the color. For me, the color is more memorable than the sparkline. You could even change the input field background.
zack kitzmiller Said:
I think line 63 should be changed to:
$(‘body’).append($sparkline);
I’m not sure why you’d want to attach it to the form, it could get crazy with position:absolute, if the form is heavily stylized.