[umbrae]

Well, as the author, I feel I better defend myself here.

A: It only uses the first 20 bytes of the hash. You could narrow it down from this if you were really determined, but you'd not be able to reverse it.

B: The visualization of the sparkline doesn't have the fidelity to determine between characters 6 and 7. So you'd have a range of possible characters.

C: The alternative being suggested by Jakob Nielsen is no masking at all ( http://www.useit.com/alertbox/passwords.html ) - which is less secure? I know this isn't the best argument, but it still is -an- argument.

With that out of the way, my paranoid mind agrees with you in this context: just masking the passwords is the more secure solution. But that doesn't mean that experiments to provide a more usable approach with (arguably) equal security should be avoided.

[tptacek]

(a) This sentence doesn't make any sense. You can't "reverse" full SHA1 any more than you can "reverse" truncated SHA1. And SHA1 hashes are only 20 bytes long. Reversing isn't the attack.

(b) The goal of the attack isn't to magically conjure the password; it's to magically conjure a searchlist of several tens of passwords, which is a game-changing improvement over a searchlist of, say, 72^8 passwords, or even tens of thousands of dictionary words.

(c) The alternative suggested by Jakob Nielson is manifestly and categorically asinine.

Good on you for a finding an application for visualizing a SHA1 hash. You score maximum points for cleverness. But now you should retire this idea.

[umbrae]

(a) I wrote in haste. Obviously it's a one way hash and unreversible. Additionally, I meant the first 20 characters, which is half of the full hash.

(b) Obviously. Still extraordinarily difficult given this implementation IMO. But I take your point genuinely.

(c) Agreed.

If you weren't so friggin inflammatory I'd think we could come to a conclusion here. I could definitely be using a more lossy visualization to be more secure. This is something I'll look into, even though I'm sure you'll still consider it 'retarded' even if it helps your grandma login to her googles more often, making you get less phone calls to fix it as a result. She's got that palsy you know.

[tptacek]

You think running a dictionary through SHA1, generating little sparkline graphs for each hash (the same way you did in like 10 lines of JS code), and then carving the image into sectors and counting matches is "extraordinarily difficult"? Everything you need to do it is, I think, in Mochikit.

You get full props for grandma, her googles, and the palsy, although anything you could do to allow either of my grandmothers to log into the googles would qualify you for much more than HN props. I'm sorry you think I'm inflammatory, except you and I both know I'm not.