<-- Advertise here.

chroma_hash.jpg
Chroma-Hash [mattt.github.com] is a jQuery plugin that dynamically visualizes secure text-field values using ambient color bars.

Password entry can be frustrating, especially with long or difficult passwords. On a webpage, secure fields obscure user input with •'s, so others are not able to read it. Unfortunately, neither can the user, who cannot tell if she got her password right until she clicks "Log In". Chroma-Hash displays a series of small colored bars at the end of field inputs so you can instantly see if your password is right.

Chroma-Hash takes an MD5 hash of the input and uses that to compute the colors in the visualization. The MD5 hash is non-reversible, so in principle no-one could know the password from just reading the colors. The same password will display the same sequence each time. So, for instance, one can learn to expect "blue, red, pink"; when other colors appear, the password has been repeated wrongly.

More information here and a Python version is available here.

6 COMMENTS

MD5, and any other secure hash, is easily reversible for short input.

To get the idea, pre-compute the hash of each character that could be the first character of the password (e.g. for a..z A..Z 0..9 etc). And convert the hash to colors as Chroma-hash does. Then, simply look up the password's first character in your table of computed colors. And do the same procedure for each subsequent character in the password.

In other words, the colors will reveal the password to a simple program able to read the color values.

As a practical matter, such a program may have access to your keyboard input anyway.

And, as a practical matter, a person looking over your shoulder is not likely to get more than the 1st character of your password. Which they could probably do by watching your fingers.

Or, put another way, don't type passwords when someone you don't trust is watching. And politely and clearly look away when someone else is entering their password.

Fri 31 Jul 2009 at 12:39 PM
Felix

Sad as it is to say, we're still using Lotus Notes in my office. However, Lotus Notes has a similar feature: as one types one's password in, an image of a keyring cycles through various attachments: a paper crane, a tag, a miniature torch, a child's building block. I know that my password is correct if I stop typing and a purple ball is attached to the ring. If I type a letter wrong, it's a different attachment.

Fri 31 Jul 2009 at 5:33 PM

This is great - the perfect visual aid for all us visual-focused keyboard (s)mashers.

Tue 04 Aug 2009 at 4:14 PM

yes, very easy with rainbow tables...

let's assume you want to crack passwords up to 10 characters in length and with the following characters: a-z, A-Z, üäöÜÄÖß, 0-9, shift+0-9, |,;.:-_#'+*~, shortly, you have to save ~90 characters.

so you have to save 34867844009999998976 = 3.4*10^19 different hash values.

you need exactly 128bit for the hash plus (at most) 10 byte for the password (multi-byte characters not considered). therefore you need 906563944259999973376 byte = 824515104 terabyte of space. the search time in this data is O(log n) if sorted.

please consider that you don't have a color for each character! instead you have a bunch (3?) colors for EACH HASH VALUE!

Wed 12 Aug 2009 at 11:34 PM
knorke

okay, some numbers are wrong (python is stupid :)

90**10*16/1024/1024/1024/1024 = 507,393,910 TB data
= 90 characters, length 10, 16 byte per hash-pw-pair

Wed 12 Aug 2009 at 11:47 PM
knorke

Well you have nice theme on your site but I will prefer you to download theme from generic wp themes as the site has good wp themes. I hope you don't mind this suggestion

Wed 25 Nov 2009 at 8:14 AM
ADD A COMMENT
Commenting has been temporarily disabled.