

Show HN: Using a color pattern to let a user 'recognise' their password - skattyadz
https://github.com/skattyadz/JavaScript-RGB-Password
This is just a concept I made that allows a user to discern whether they have typed a password correctly before submitting. The user never sees their password, but should be able to recognise it's pattern.<p>Thoughts?
======
mping
This has been done before: <http://mattt.github.com/Chroma-Hash/> Just make
sure that the color thing is not reversible.

~~~
palmr
Arc90 Labs had a similar thing around the same time too:
[http://lab.arc90.com/2009/07/09/hashmask-another-more-
secure...](http://lab.arc90.com/2009/07/09/hashmask-another-more-secure-
experiment-in-password-masking/)

------
cstuder
A suggestion: You could reduce leakage of the first one or two characters by
only starting the color display on the entry of the third letter.

~~~
gus_massa
Or at least add a little time delay, so the colors don't give information
about each letter, only information of the final password typed.

------
JoachimSchipper
Nice. Note, though, that accurately capturing the colors will let a bad guy
brute-force the password one character at a time, which is trivial. Don't use
this if you're worried about shoulder-surfers with cameras, or just plain
don't use this with important passwords.

(Note that switching to a proper cryptographic hash does _not_ stop the above
attack.)

~~~
icebraining
_Note, though, that accurately capturing the colors will let a bad guy brute-
force the password one character at a time_

How so? Since this is generated from the hash, this attack doesn't reveal more
than an hash does, and you certainly can't brute-force one char at a a time
from an hash.

~~~
CJefferson
Assuming I record the colours generated when each character is entered, then I
have a hash of just the first character. Cracking that is trivial. Then I can
go and crack the second character.

There might be a tiny amount of fuzzyness if I can't exactly match the first
character hash, but it would be fairly close. I suspect it would be fairly
easy to write a computer program which even did this automatically, from a
recorded video.

~~~
skattyadz
Why not just use a video camera to watch them type on the keyboard? Plus,
mobile devices show the last character typed. You're right, but this could be
avoided by (for example) only displaying colors after 4 characters are typed

~~~
burgerbrain
I think a better solution would be to only show the colour hash after there
hasn't been a keypress in a few seconds. This would likely be a pretty good
way of making sure you only displayed the hash after they were done typing
their password, which would prevent enabling a brute force attack.

------
charliesome
Lotus Notes has been doing this for years with a series of images instead of
colours. It's an interesting idea but I think it's more confusing than
helpful.

~~~
skattyadz
I've seen projects that generate a character or robot from a hash, and that
could be interesting here, too. I agree that it's probably more confusing than
helpful, though.

~~~
burgerbrain
In case anybody is wondering about robot hashing: <http://robohash.org/>

------
sambeau
I don't understand what problem this solves. Can anyone explain?

~~~
mkopinsky
Between stupid complexity requirements and "you can't repeat that password", I
end up with "password" on one site, "Password1" on another, and "Password1!"
on yet another. (Obviously I don't use "password" but a secure passphrase that
I only use on less-secure sites.) I don't remember which site has password,
but I could potentially remember that site X was Green-Blue-Magenta, and
correct accordingly.

~~~
brador
I just signed up to a fresh stackoverflow account and got this "passwords must
contain lowercase, uppercase and a punctuation mark" BS. It's the only site in
the last 2 years+ that I've signed up with that has historic requirement.

I prefer the >12 character simple password to the random digit type and I'd
have expected better from a site devoted to technical experts as Stackoverflow
is.

~~~
m3koval
I hate requirements like that. My hunch is that they the SE team hasn't put a
ton of thought into the account creation process because they also support
OpenID. I didn't even realize that you could login to StackOverflow without
using OpenID!

------
steren
Mozilla worked too on visual hashing:
<https://wiki.mozilla.org/Identity/Watchdog/Visual_Hashing>

Chrome extension:
[https://chrome.google.com/webstore/detail/lkoelcpcjjehbjcchc...](https://chrome.google.com/webstore/detail/lkoelcpcjjehbjcchcbddggjmphfaiie)

------
ebzlo
This is cool, but ultimately worthless- even detrimental to security. The only
problem this could possibly solve is that user has to wait for a reload before
trying their password again.

For an attacker, this becomes a lot easier break into. Let's suppose the
attacker managed to get the exact values of the RGB (perhaps screen shared).
He could run a dictionary attack or brute force on the algorithm and wait
until he gets a match. This alleviates an attacker from two previous
requirements.

1\. A salt if all they had was a hash. 2\. Hitting a server to check if the
password is valid (thereby passing any potential lockouts).

------
Maci
With more spark line:

[http://lab.arc90.com/2009/07/09/hashmask-another-more-
secure...](http://lab.arc90.com/2009/07/09/hashmask-another-more-secure-
experiment-in-password-masking/)

------
huhtenberg
I think a better usage would be to show two patterns - one of the password
being entered and another for the password on file. Salt the passwords
obviously before generating a pattern.

The idea is that I have a dozen of passwords, and some I use only when there
are stupid password restrictions in place, e.g. "one uppercase letter, one
digit, no special symbols". Since these restrictions are _not_ shown on the
Login form, it is frequently hard to remember which password I used with this
particular site, so having a hint would help a lot.

~~~
stanmancan
The idea is nice but in theory but that would be a _ _huge_ _ security risk.
You'd be providing anyone you know with your encrypted password, as well as
the encryption method.

~~~
huhtenberg
No, why?

The server will send down a hash function, a salt and its version of a
password hash. Use something like bcrypt or PBKF2, reduce their output by
folding or by funneling through something like CRC to mitigate the risk of
brute-forcing. Alternatively, keep salt/hash on the server side and make the
client ajax the current hash from the server.

------
LaaT
Why not do this with hieroglyphs instead of colours? I have deuteranomaly and
colours don't work for me. I remember reading %10 of male population has some
kind of colour deficiency.

~~~
iaskwhy
Even with a deficiency you would probably be able to distinguish between
different colours, right?

~~~
LaaT
Its name escapes me, there's a website which you enter a url, it goes and
fetches the css, changes the colours such that I can't differentiate it from
the original but a normal person would. By my wife'a account there are really
huge differences between the two. I'll probably not be able to distinguish
some colours where the green component makes the difference.

~~~
ydant
Here's one I've played around with.

<http://colorfilter.wickline.org/>

I'm not really clear on how it or color blindness in general works. So I don't
know if finding the filter which makes the image unchanged for me (color-
blind) is a good way of representing how the world looks to "normal" visioned
people.

~~~
LaaT
Thanks, that was it. No, it's not about representing how the world looks to
normal visioned people, it's about how we cannot differentiate between some
colours, or all colours for the worst case.

------
TobiHeidi
I dont think any user will understand it quickly so it would be helpful. nice
idea tough just not mass market useable-

------
kyberias
Why not just have one symbol (flag?) that is displayed when the passwords
match? What is the added value of displaying three colours?

~~~
klez
I hope your password is not encoded in the javascript.

And if the script tries it via asynchronous requests every time you type a
character until you give the right password, think about the network overhead
involved. And if you use this solution, how do you distinguish between a
sloppy user (that recognizes (s)he hit a wrong key and immediately corrects
it) and a bot trying to guess a password?

------
accountoftheday
The hieroglyphs from Lotus Notes are rearing their ugly heads in disguise.

------
astrodust
Wouldn't having a "show password" option be a lot better?

