
Chroma-Hash: A sexy, non-reversible live visualization of password field input - jp_sc
http://axemclion.github.com/Chroma-Hash/?gradient
======
jgrahamc
I don't buy the claim of non-reversibility here. The colors are generated by
hashing using MD5 three items:

1\. Domain specific salt (which is just the document.location) 2\. User
specific salt (which has a default value and even if it was loaded based on
the user name an attacker could retrieve it) 3\. The password typed so far

1 and 2 mean that the salt is virtually useless. It's not a secret.

The colors are generated by extracting 6 digit chunks of hex from the
hexadecimal MD5 hash. And the full entropy in the MD5 isn't used.

So, it looks to me like someone who observes the username and the colors
generated could look up the password in a rainbow table quite easily. Since
they've also got the number of characters in the password it makes generating
test passwords really easy.

Code is here: [http://github.com/axemclion/Chroma-
Hash/blob/d6703e670f84476...](http://github.com/axemclion/Chroma-
Hash/blob/d6703e670f8447640adba29838adb57d28369f16/chroma-hash.js)

------
jacquesm
<http://news.ycombinator.com/item?id=729556>

