Chroma-Hash, Revisited
Based on a resurgence of interest in Chroma-Hash (hi reddit!), I thought it’d be useful to revisit this oft-misunderstood project.
If you haven’t already seen it already, you should check it out. Even if you have, you might want to play around with it again to see if any new insights come to mind (go ahead, it’ll only take a minute).
Chroma-Hash has been a particularly interesting project because of the controversy it creates in discussions. Some people won’t understand how it could ever be useful, while it couldn’t be any clearer to others. There’s often a back-and-forth about the potential security risks of the system and the pragmatics of how those risks are insignificant.
I’ve learned a lot from reading through these various threads, and I wanted to share some of my thoughts to help bring light to the discussion. Or maybe just fuel the fire, perhaps.
Alright, let’s get right to it then:
So what’s The Point?
Good question! It started out as a simple UI experiment, but it soon developed into something that I think could be really useful. Here are some of the use cases that emerged from various feedback and iterations:
Use Case #1: Password Confirmation
Perhaps the most obvious use case from the demo, Chroma-Hash allows you to quickly compare the contents of two secure text fields. It’s common for a signup flow to ask you to type your password twice (to make sure you didn’t mistype it). With this visualization, a user can instantly check to see if what she typed was the same each time, without having to submit the form.
In a similar vein to password confirmation at signup, Chroma-Hash can be helpful when logging in from day-to-day. Whenever you log into your webmail or your favorite social network, you could expect to see your signature color combination. If not, you’d know that you somehow fudged it along the way. Especially for sites with 3 strike lockouts, Chroma-Hash could save a lot of needless frustration.
Use Case #2: Anti-Phishing Mechanism
As you might have caught on from the last use-case, Chroma-Hash could be effective in mitigating the risk of a phishing attack. Similar to the account-specific images that online banking systems recently added, your password becomes a visual signature that you can look for. Websites can securely serve unique color signatures by issuing a hash salt through a browser cookie, for instance.
Let’s say you go to a site that you think is PayPal. If you start to type your password and you’re getting unfamiliar colors (or no colors show up at all, for that matter), you’ll know something’s fishy.
Use Case #3: Password Strength Feedback
Let’s think back to signup flow: When creating a Google account, for instance, you’ll get visual feedback of the strength of your password as you type it in. Stop after 5 characters, and a partially-filled red bar will accompany a message telling you to pick something stronger.
Similarly, Chroma-Hash has a parameter to specify the minimum number of characters before colors start to display. Until that threshold is reached, all the user will see are boring, gray bars. It’s more implicit than using strong colors and words, but there’s something to be said about ambient feedback, no?
Use Case #4: Clipped or Constrained Input Feedback
Let’s say you’re like me, and you go a little over-the-top with passwords. Although it’s a bit of an edge case, Chroma-Hash can be useful for providing visual feedback when a user types beyond the boundaries of a field.
Conversely, if there is a cap on the maximum amount of input, the lack of visual feedback, in that colors stop changing even though you keep typing, can just as well provide a cue to stop.
Objections, Concerns, and Questions
Reading through various threads on reddit and Hacker News gave me a much deeper insight into everything from aesthetics and usability to security and information theory. A lot of feedback was immensely useful, and helped take Chroma-Hash to that next level.
There may still be some legitimate usability or security concerns, but after several iterations, I’m confident that Chroma-Hash is a robust UI component. That said, I’d love to be proven wrong so I can continue to improve it even more.
For your consideration, here are some common concerns that are raised, along with my response to them.
“MD5 Is Weak”
From my understanding, a weak hash function is exactly what makes something like MD5 well-suited to this application. Usually, a hashing function is rated on its aversion to collision. For instance, if you are taking a checksum of a file, you’d want to be confident two files with the same checksum have the same content—otherwise, no collisions.
In the case of Chroma-Hash, collisions add security. If passwords have the same checksum, it makes it harder to isolate which one a checksum represents. Collisions are good for the purposes of the visualization. Collisions are what make security possible with Chroma-Hash.
“Knowing the Colors is Knowing the Password”
Although Chroma-Hash seems to cover the entire spectrum, it’s actually constrained to a limited palette. Small palette means more collisions, which means that it’s more secure. Here are two techniques that are used to minimize the use of colors:
-
Grayscale Threshold - As mentioned in Use Case #3, colors don’t show up below a specified number of characters (by default, 6). Instead, the bars display in 4-bit monochrome. Not only are the colors difficult to differentiate based on plain eyesight, but within that range, you are nearly guaranteed to have collisions. Bump up the minimum, and it becomes exponentially more difficult to trace through to the final password.
-
Least-Place Crushing - Above the grayscale threshold, the range of colors are still constrained. Based on a great insight by Ian Young, the least place of a hexadecimal color can be rounded down without compromising aesthetics. For instance, the color #CE2029 is nearly the same as #C02020, but the latter could be any one of 3375 colors. Since humans can’t perceive these slight differences, the extra (leaky) detail is removed without cost. Your password still looks like “Red Green Purple” with or without that extra place.
This naturally brings us to…
“What About Colorblind People?”
Consider the last points about grayscale and constrained palettes. Although I’m not colorblind myself, I would suppose that having some form of colorblindness is comparable to these two examples. In an extreme case, in which someone could not differentiate any color at all—everything is grayscale—you could still use Chroma-Hash.
The only snag is that without perceiving the additional color information, they have a greater chance of colliding, as you see it. Because one-off input is unlikely to be consistently similar one could imagine this system as still somewhat useful (expected dark gray, black, white; got light gray, white, black: no match).
“Chroma-Evangelism” OR “The Many Colors of Chroma-Hash”
Last but not least, I wanted to point out some of the awesome contributions other developers have made to this whole experiment. They took the ideas behind Chroma-Hash and ported it to their favorite libraries and languages, and added so much more along the way. I’m truly humbled by your contributions.
Also, an Objective-C port and sound-based version by me:
Interested? Feel free to fork Chroma-Hash and make something even cooler!
Finally, a Shout-Out
I would be remiss without mentioning the main inspiration behind Chroma-Hash, HashMask by Chris Dary of Arc90. Cheers, Chris!
[...] go check out the more recent blog post about Chroma-Hash for a better and more up-to-date explanation of [...]
Why not just map the colors to the asterisks or dots themselves or am I fundamentally missing something? The colors would of course be meaningless to anyone else watching over your shoulders.
@Tom: Because that’s even more fundamentally less secure than a normal password. Say you watch your boss type in his password. You see 6 asterisks. Not much help. With your suggestion, you see 6 asterisks, for example, in the order blue red red orange green orange. Now you have far more to go on. You can try his wife’s name, pet’s name, favourite team, etc, and see if any match. Here’s the kicker: if it has a three strikes and out policy, this bypasses it. You’re not submitting it, but you can still try out various passwords.
I think it solver a very real problem but it also, as said before, leak valuable information about your password. My suggestion is to add a delay, before showing the color information. Passwords usually are typed very fast and the inter-key information is much more valuable then the end result alone.
If the feedback shows color for every, say two or three keys, the leaked information would be much lower.
for the colorblind you’d only need to add a few symbols / gradients to the colors that are close. also just fyi colorblind people have normal white-black colors since those rods are different… its the colorful shades that present the trouble
@Victor: There’s an intentionality in design here. You’ll note that, on key presses, the colors do not instantly change; they fade. If you type quickly, then the colors will fade quickly and constantly change fade destination so that inter-key data can not be gathered by over-the-shoulder means (which is the only real danger, right?)
[...] http://mattt.me/2009/11/chroma-hash-revisited/ a few seconds ago from BeTwittered [...]
One point I’d make regarding the “anti-phishing” functionality: this only works well when the feedback is known well by the user.
I’m far more likely to remember a picture and phrase that I chose — as my bank allows — than a series of colors that I cannot directly control.
Add to that sites using a salt, and the usefulness plummets.
@matt To avoid brute force attack you can make an easy fix, change:
salt: {value: “7be82b35cb0199120eea35a4507c9acf”}
to something like
salt: {value: hex_md5(new Date().getTime()) }
IBM explored something similar to this, in the login dialog of lotus notes (i’ve used 5.5-6.5, don’t know about other versions). always thought it was pretty useless. you press enter and if it’s wrong you retype it. quicker and easier than remembering to check some image before pressing enter. http://lotusnotessucks.4t.com/lnEx01.html
Better Password Input Fields: Chroma-Hash…
Chroma-Hash is a jQuery plugin that aims to offer a better password input experience.
The Problem:
A standard password field replaces the entered characters with "●" characters. The problem is "we never know if we made a typo or …
is this “idea” free? i mean is it patented or something that can be used to freak out the people who use it ?
[...] P.S. A detailed info on the method & security concerns can be found at the developer’s related post. [...]
@gnulover The idea came in response to a series of approaches to this genre of password masking (which includes Lotus Notes, as mentioned by @lotus). By far the most influential of which was the venerable Arc90 Labs’ HashMask by Chris Dary. Chroma-Hash is licensed under the MIT License, and is freely available for use.
I’m gonna be a Negative-Nancy here and tear down what I think is a great effort. I think your intentions are good and what you’re seeking (elimination of the status quo in UI design) even better. You’re obviously very talented at design and I don’t think your idea is terrible for all purposes. We need people thinking out of the box, and I’m happy about your innovation efforts but I don’t think this particular solution nailed it.
My purpose with this rather unorganized brainstorming post is to point out to you and other webmasters why this thing isn’t what we currently need on most web sites. (Chroma-Hash considered harmful.)
I think this solution becoming widespread would create usability and security problems, in addition to solving no new problems.
* Use case #1: The password confirmation problem has been solved in a way that users are comfortable with—checkmarks when the passwords match.
* Use case #2: Coupled with something else, I think the use case of anti-phishing is the best use case. The reason it cannot stand alone, is that you will want the user to know that they’re on the wrong page before they start entering the password. This is because a potential phishing site is able to submit whatever’s written in the password field with AJAX, without the user submitting the form. This would be a value-adder for a community that understands and appreciates the Chroma-Hash construct, as every anti-phishing measure that captures the attention of a user before submission (assuming there’s not an AJAX auto-submit) is good.
* Use case #3: The password strength problem has been solved in a way that users are comfortable with (see popular services). I would argue that those solutions are clearer and more informative. I also don’t think coupling Chroma-Hash with such an element would be an aesthetic solution.
* Use case #4: Yet, if you choose a long password (like I do), you’re probably security-aware and hence don’t want this, and chances are you’re a fair typist and don’t make a lot of errors. Most people probably type their password fast enough that the pattern hasn’t updated before they move on to the next letter. Should they stop in the middle of their 14-character password, and memorize or compare a combination to see if it still matches? It seems to me that to the experienced user, that would take more time and and a different approach from what user would do on all other web sites.
In the context of use case #1, I want to point out:
* It’s innovative and beautiful.
* It doesn’t do what the user expects, and it’s not worth teaching the user because it solves no new problem. It also takes ages to educate a majority of Internet users about a new construct, so it had better be good.
* It creates accessibility problems for the color-blind, which you’ve addressed to some extent, but probably ends up in a worse solution than checkmarks after the password matches. (If it’s a quarter as bad as me trying to see the difference when it’s in grayscale, then it’s terrible.)
* It solves the problem of password matching no better than a check after the field. To make matters worse, there are undeniably some security implications (you *cannot* say there are none, although they may sometimes be acceptible), and that makes it immediately worse than checkmarks if the fields match, in terms of security.
* This is inserted at a page where most web sites don’t want to lose visitors (registration pages) to something users are not expecting and are not familiar with.
* The concept itself requires explanation to users. This will further clutter a registration page (in addition to the pain of not using something the user is familiar with), instead of using checkmarks and Keeping It Simple, Stupid. The grayscale-until-valid case requires more explanation, which will additionally complicate the interface if the user actually reads it (which I assure you, he or she won’t).
* I’ve read some of the discussion about this, but not all of it. However, I haven’t yet seen anyone argue that this actually requires more focus, attention and thinking than the checkmark approach. It’s not rocket science, but from research we know that internet users are extremely lazy and seem to be put off by the slightest amount of cognitive effort.
Where this solution excels, is in the domain of aesthetic and being ice cold (which, according to a prominent band, is cooler than being cool). I think this would be a great thing for sites where the targeted users are experienced internet users, familiar with or willing to learn this construct and there isn’t an emphasis on security.
Thank you for your sharing your ideas. While I’m not particularly fond of this particular mechanism, it’s the best contribution to this problem I’ve seen in awhile. This doesn’t seem like a simple problem, but a simple solution probably exists, waiting to be found by experimenters like you (http://www.iconeye.com/index.php?option=com_content&view=article&id=3864:rca-student-radically-improves-the-uk-plug).
@Friðrik Thanks for your spirited and meticulous feedback. I might point out that while there exist individual solutions for all of the use cases that I outlined in this post, I can’t think of any current ones that cover all of them at the same time. One single solution to all of these use cases would be arguably simpler.
All paradigm shifts in UI, back to the original desktop metaphor and as recently as new Ajax interactions took time for people to get used to. When people say something is intuitive, they usually mean to say that its familiar. Who knows what will happen to Chroma-Hash in the long run?
really nice, thanks for this
but as i don’t like jquery, i made a MooTools port of it
if somebody wants it, you can get it here: http://www.mediafire.com/download.php?ndwzkqnjigm
its not perfect but it works nice
[...] http://mattt.me/2009/11/chroma-hash-revisited/ a few seconds ago from Choqok [...]
[...] Chroma-Hash, Revisited It started out as a simple UI experiment, but it soon developed into something that I think could be really useful: Password Confirmation, Anti-Phishing Mechanism, Password Strength Feedback, Clipped or Constrained Input Feedback. (tags: ui forms login) [...]
There is a slight bug in the github demo page, the fading stops when the field is unfocused, so if you type the password correctly twice, but tab very quickly out of the field (as I do) the hashes don’t match. I suggest that when focus is lost, the colours should be set to their final values abruptly.
[...] kann man bereits am Farbcode erkennen, ob man sich verschrieben hat. Die Nützlichkeit des Plugins ist äußerst umstritten. Machen Sie sich selbst ein [...]
I know, it won’t solve any of the global problems, but it’s a nice addition to a subsciption form. It’s new, it’s fresh, it’s creative.
That’s a brilliant idea indeed.
A fabulous idea. I have a suggestion which I didn’t see mentioned.
Why not have the username form part of the hashing?
That way, if the chroma-hash is off - and I’m sure I typed the password correctly - I can see that it’s my username which has been misskeyed.
Anyway, top idea - well done.