This is just a concept I made that allows a user to discern whether they have typed a password correctly before submitting. The user never sees their password, but should be able to recognise it's pattern.
Thoughts?
by mping on 3/7/12, 11:39 AM
by cstuder on 3/7/12, 11:34 AM
A suggestion: You could reduce leakage of the first one or two characters by only starting the color display on the entry of the third letter.
by JoachimSchipper on 3/7/12, 11:40 AM
Nice. Note, though, that accurately capturing the colors will let a bad guy brute-force the password one character at a time, which is trivial. Don't use this if you're worried about shoulder-surfers with cameras, or just plain don't use this with important passwords.
(Note that switching to a proper cryptographic hash does not stop the above attack.)
by charliesome on 3/7/12, 11:23 AM
Lotus Notes has been doing this for years with a series of images instead of colours. It's an interesting idea but I think it's more confusing than helpful.
by sambeau on 3/7/12, 12:24 PM
I don't understand what problem this solves. Can anyone explain?
by steren on 3/7/12, 12:37 PM
by ebzlo on 3/8/12, 2:25 AM
This is cool, but ultimately worthless- even detrimental to security. The only problem this could possibly solve is that user has to wait for a reload before trying their password again.
For an attacker, this becomes a lot easier break into. Let's suppose the attacker managed to get the exact values of the RGB (perhaps screen shared). He could run a dictionary attack or brute force on the algorithm and wait until he gets a match. This alleviates an attacker from two previous requirements.
1. A salt if all they had was a hash.
2. Hitting a server to check if the password is valid (thereby passing any potential lockouts).
by Maci on 3/7/12, 1:44 PM
by huhtenberg on 3/7/12, 5:48 PM
I think a better usage would be to show two patterns - one of the password being entered and another for the password on file. Salt the passwords obviously before generating a pattern.
The idea is that I have a dozen of passwords, and some I use only when there are stupid password restrictions in place, e.g. "one uppercase letter, one digit, no special symbols". Since these restrictions are not shown on the Login form, it is frequently hard to remember which password I used with this particular site, so having a hint would help a lot.
by LaaT on 3/7/12, 11:44 AM
Why not do this with hieroglyphs instead of colours? I have deuteranomaly and colours don't work for me. I remember reading %10 of male population has some kind of colour deficiency.
by TobiHeidi on 3/7/12, 11:49 AM
I dont think any user will understand it quickly so it would be helpful. nice idea tough just not mass market useable-
by kyberias on 3/7/12, 1:41 PM
Why not just have one symbol (flag?) that is displayed when the passwords match? What is the added value of displaying three colours?
by accountoftheday on 3/7/12, 10:22 PM
The hieroglyphs from Lotus Notes are rearing their ugly heads in disguise.
by astrodust on 3/7/12, 8:22 PM
Wouldn't having a "show password" option be a lot better?