Password Masking and Chroma-Hash

31 Jul 2009 - 11:09am
5 years ago
12 replies
1240 reads
Yohan Creemers
2008

An experiment from Mattt Thompson in how to visualize the input of
masked password fields:
http://mattt.github.com/Chroma-Hash/

Some explanation taken from his blog:

Chroma-Hash displays an ambient color representation of the input as
it is being typed.

Use Case 1: Login Check
If your password normally is represented as “red, purple, orange”,
and after you’ve finished typing you see “pink, green, grey”, you’ll
know you mistyped it somewhere along the way. This avoids a
potentially long wait for the server to respond with a “failed login”
notice.

Use Case 2: Password Confirmation
When you sign up for a web service, you often have to type your
password twice to make sure that you entered what you wanted
correctly. As in the demo, a user will be able to confirm that two
fields are the same visually. There are, of course, many alternatives
for live-input validation of password confirmation, but this is
another viable use case for Chroma-Hash.

http://mattt.me/2009/07/chroma-hash-a-belated-introduction/

See also a recent discussion about password masking
http://www.ixda.org/discuss.php?post=43168

- Yohan

Comments

31 Jul 2009 - 11:39am
pyces
2007

Neat, but he doesn't address color-blind users. Maybe showing small
pictures or symbols would address the needs of these users (I know
there's already a few sites that use something like that where you have
to either choose the picture that you chose as your password or check
the associated image once you login with a text pwd). Does anyone else
have ideas on how to make that accessible for color-blind users?

Thanks,
Courtney

-----Original Message-----
From: discuss-bounces at lists.interactiondesigners.com
[mailto:discuss-bounces at lists.interactiondesigners.com] On Behalf Of
Yohan Creemers
Sent: Friday, July 31, 2009 5:09 AM
To: discuss at ixda.org
Subject: [IxDA Discuss] Password Masking and Chroma-Hash

An experiment from Mattt Thompson in how to visualize the input of
masked password fields:
http://mattt.github.com/Chroma-Hash/

Some explanation taken from his blog:

Chroma-Hash displays an ambient color representation of the input as it
is being typed.

Use Case 1: Login Check
If your password normally is represented as "red, purple, orange", and
after you've finished typing you see "pink, green, grey", you'll know
you mistyped it somewhere along the way. This avoids a potentially long
wait for the server to respond with a "failed login"
notice.

Use Case 2: Password Confirmation
When you sign up for a web service, you often have to type your password
twice to make sure that you entered what you wanted correctly. As in the
demo, a user will be able to confirm that two fields are the same
visually. There are, of course, many alternatives for live-input
validation of password confirmation, but this is another viable use case
for Chroma-Hash.

http://mattt.me/2009/07/chroma-hash-a-belated-introduction/

See also a recent discussion about password masking
http://www.ixda.org/discuss.php?post=43168

- Yohan

31 Jul 2009 - 11:51am
Anonymous

My first reaction to trying this was "wow, awesome!" My second reaction was
"hey, my favorite password is ugly. I need to change it to something
prettier."

Would be very interested to know if it would somehow be able to generate
more secure passwords as more aesthetically pleasing, thus manipulating
folks into better security for the greater good. Talk about behavior
modification in design!

anne

new-bounces at ixda.org wrote on 07/31/2009 05:09:01 AM:

> An experiment from Mattt Thompson in how to visualize the input of
> masked password fields:
> http://mattt.github.com/Chroma-Hash/

> Some explanation taken from his blog:

> Chroma-Hash displays an ambient color representation of the input as
> it is being typed.

----------------------------------------------------------------------
CONFIDENTIALITY STATEMENT. The information contained in this e-mail message, including attachments, is the confidential information of, and/or is the property of, Vanguard. The information is intended for use solely by the individual or entity named in the message. If you are not an intended recipient or you received this in error, then any review, printing, copying, or distribution of any such information is prohibited, and please notify the sender immediately by reply e-mail and then delete this e-mail from your system.

31 Jul 2009 - 2:59pm
Bob Sampson
2008

"Does anyone else have ideas on how to make that accessible for
color-blind users?"

Maybe having the color letter in the color itself? Say yellow, red,
green you could just have a Y R G in the colour itself. Otherwise I
know for myself(guy and colour-blind), Yellow, Red, Green would
probably look the same as Yellow, Green, Red.

And as for symbols, I don't know. Is this protected from being
"reverse-hashed"? If someone can take 4 symbols and reverse the
process into your textual password then you might as well just get
rid of the %u2022%u2022%u2022%u2022%u2022 and make it plain text.

But personally, as neat as this it, I just don't see it being any
real value in usability. We all know how to type in passwords.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44293

31 Jul 2009 - 3:02pm
Bob Sampson
2008

p.s., those %u2022 were supposed to be bullets :)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44293

1 Aug 2009 - 4:12am
Sascha Brossmann
2008

On Fri, Jul 31, 2009 at 18:39, Jordan, Courtney<CJordan at bbandt.com> wrote:
> Does anyone else have ideas on how to make that accessible for color-blind users?

Maybe well distinguishable patterns instead of or combined with colours.

- S.

1 Aug 2009 - 12:50pm
missu
2009

That is cool, but I agree with Courtney. It does not help color blind
people. Icons or pictures would be more useful than colors. They
could even use smiley faces so if the password is not secure, it is
an unhappy face. If it is very secure, it is a very smiley showing
teeth happy face. Just a thought.

--Ulina

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44293

1 Aug 2009 - 3:20pm
Adrian Howard
2005

On 31 Jul 2009, at 12:45, Sajitha Jose wrote:

> Chroma Hash is definitely visually appealing!! But isn't it plain too
> easy for all the hackers out there to just look at the color changes
> and start figuring out your password?

Nope. The hashing functions used are the same sort of thing used to
securely store passwords. It's easy to go from the password -> hash.
Very, very, very, very, very hard to do the reverse.

Adrian
--
http://quietstars.com - twitter.com/adrianh - delicious.com/adrianh

2 Aug 2009 - 4:26pm
Fredrik Matheson
2005

If I remember correctly, Lotus Notes hashes password entry with a random
number of X's, but cycles between different icons as you type to help you
confirm that you've typed the right number of characters.
Might be worth looking at.

2 Aug 2009 - 5:00pm
Santiago Bustelo
2010

Lotus Notes' confusing and distracting login window, as the whole app
itself, found its place in the Interface Hall of Shame:

http://homepage.mac.com/bradster/iarchitect/lotus.htm

--

Santiago Bustelo, Icograma
Buenos Aires, Argentina

//// IxDA BA es el primer grupo local en castellano.
//// Te esperamos! http://www.ixda.com.ar

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44293

3 Aug 2009 - 11:48am
Hines, Mark
2007

@Jordan Dobson

"I don't see how being color blind would be an issue.

I believe most can still see color but just not the entire spectrum.
They would just end up with a different version colors."

It's not quite that simple. While most of us with colorblindness can "still
see color" we perceive them differently and have varying levels of ability
to distinguish one color from the next. As someone who is red-green
deficient, the most common deficiency I believe, it's not just that I see a
different "version" or shade of green. I also have a hard time
distinguishing some reds from some greens because they appear similar to me
(My wife brought two "green" peppers to me in the store. I said we needed a
"red" one too. She held up the "red" one to let me know we were covered).
What's more is that colors with red or green in them (purples look blue,
browns can be red or green, and forget about salmon or fuchsia) can be
problematic (And it's getting worse as I get older). Contrast will certainly
help but doesn't that add another dimension to it? How do you explain this
concept to users? If you can perceive colors do this? If you can't perceive
colors do this?

Given the variations in perception that are only exacerbated by other random
elements such as monitors, tiny swatches (grr) and age (which effects both
perception an acuity) I don't see how this model would be appropriate for
something as critical as logging in.

Mark Hines.

3 Aug 2009 - 12:41pm
Christian Crumlish
2006

for accessibility, any reason why the concept couldn't be abstracted to
other senses, such as a recognizable tone sequence?
-x-

3 Aug 2009 - 1:15pm
Thuy Vuong
2008

Where can I find info on Interaction 2010? Planning next year budget
and can't find any details on http://interaction.ixda.org/.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44293

Syndicate content Get the feed