HashMask

Lab Project

HashMask is an attempt to find a more secure middle ground between clear and masked passwords. It does this by visualizing a hashed representation of the password as a sparkline with color – the intent being that the user would become familiar with this image and be able to easily confirm that they typed the right (or wrong) password.


Demo

Why?

My original experiment, HalfMask, produced lots of good discussion, which is exactly what I had hoped for. As security expert Bruce Schneier said recently, password masking is not a panacea. Finding a solution that provides both security and usability is the goal.

As with HalfMask, HashMask is purely an experiment. I’m not suggesting that this is the best middle ground between clear and masked passwords. I am just hoping to get the community thinking about different approaches.

How does it work?

HashMask is a jQuery plugin that will produce a unique and non reversible visualization of a users password. The hope being that they would be able to confirm that they entered their password correctly, but no one else would. It also degrades gracefully so that users without javascript or a poor browser (IE6) will just see a password field.

Technically speaking, it uses a subset of the sha1 hash of the password as the seed for the sparkline’s shape and color. It should be relatively safe from reverse engineering as a result. There is the potential to estimate a possible range of characters of the first section of the hash, but overall this should be a extremely low risk.

Can I use it?

HashMask is still alpha-level software, but it should be relatively safe to use on an experimental basis if you are interested. It should work on Firefox 3, Safari 4 and IE6+. It’s available here, as well as on google code.

Download

Click on the icon to go to the download directory at google code:

Download

Additionally, you may view the source directly in google code.

License

HashMask is released under the BSD license.

Room for Improvement

I personally like this approach much better than HalfMask. It’s more secure at the loss of slight usability. That said, there is room for improvement, specifically with regard to more memorable and elegant visualizations. A colored sparkline works, but it’s not ideal. If you have suggestions, please let me know or feel free to fork and implement!

Discuss

Any feedback on the concept is welcome – feel free to post it on the Arc90 Blog, or Follow me on Twitter.