[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Bil Corry bil at corry.biz
Mon Jul 13 17:44:28 EDT 2009

Chris Varenhorst wrote on 7/12/2009 8:13 PM: 
> I thought this thread might be interested in two recent arc90 password
> masking experiments.  The basic idea is to meet Jakob Neilson half way and
> mask the password so that the casual observation won't be able to get much
> information from it, but the user can still confirm they typed their
> password correctly.
> http://lab.arc90.com/2009/07/halfmask.php
> http://lab.arc90.com/2009/07/hashmask.php

Thanks for sharing these.  A few thoughts on each:

I found that I couldn't read halfmask at all, or even guess at what I had typed.  I could, however, read what I had typed if I highlighted the password.  I also found I could easily read it if I turned the gamma way up and I also could easily read it on a screen capture image where I tweak the color curves.

As for hashmask, couldn't an attacker with a video camera deduce your password by replaying each hash image generated after every keystroke, then trying every character until it matches, then move on to the next one until your password has been entered?  Even if the hash image isn't shown until you are done entering your password, it would still allow an attacker to record the final password hash image, then brute-force it off-line by comparing images without having to round-trip to the server (which is the best alert that a brute-force is taking place).

- Bil

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list