Conference Paper

Using hash visualization for real-time user-governed password validation

If you want to read the PDF, try requesting it from the authors.


Building upon work by Perrig & Song, we propose a novel hash visualization algorithm and examine its usefulness for user-governed password validation in real time. In contrast to network-based password authentication and the best practices for security which have been developed with that paradigm in mind, we are concerned with use cases that require user-governed password validation in non-networked untrusted contexts, i.e. to allow a user to verify that they have typed their password correctly without ever storing a record of the correct password between sessions (not even a hash). To that end, we showcase a newly designed hash visualization algorithm named MosaicVisualHash and describe how hash visualization algorithms can be used to perform user-governed password validation. We also provide a set of design recommendations for systems where hash visualization for password validation is performed in real time, i.e. as the user is in the process of typing their password.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Entering text passwords on mobile devices is a significant challenge. Current systems either display passwords in plain text: making them visible to bystanders, or replace characters with asterisks shortly after they are typed: making editing them harder. This work presents a novel approach to mask text passwords by distorting them using graphical filters. Distorted passwords are difficult to observe by attackers because they cannot mentally reverse the distortions. Yet passwords remain readable by their owners because humans can recognize visually distorted versions of content they saw before. We present results of an online questionnaire and a user study where we compared Color-halftone, Crystallize, Blurring, and Mosaic filters to Plain text and Asterisks when 1) entering, 2) editing, and 3) shoulder surfing one-word passwords, random character passwords, and passphrases. Rigorous analysis shows that Color-halftone and Crystallize filters significantly improve editing speed, editing accuracy and observation resistance compared to current approaches.
Conference Paper
Full-text available
Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.
Conference Paper
Full-text available
Important visual information often disappears when color documents are viewed by color blind people. The algorithm introduced here maps colors using the World Wide Web Consortium evaluation criteria so that detail is preserved for color blind viewers, especially dichromats. The algorithm has four parts: 1) select a representative set of colors from the source document; 2) compute target color distances using color and brightness differences; 3) solve an optimization step that preserves the target distances for a particular class of color blind viewer; and 4) interpolate the mapped colors across the remaining colors in the document. We demonstrate the efficacy of our method using simulations and critique our method in the context of earlier work.
OpenSSH 5.1 introduced an ASCII-based visualization method for the remote servers' public key fingerprints. We explain the algorithm used to visualize the fingerprints and present some initial findings about its proper-ties. Based on a Markov model and some brute-force attacks we were only able to produce some basic results. But we hope that our analysis will spur further research on this topic, so that eventually it will be found out whether the (heuristically designed) algorithm is secure enough for this purpose.
We discuss the problem of color organization and modeling in general and in computer graphics in particular. After a brief review of the Red, Green, and Blue (RGB) and Lightness, Hue, and Saturation (LHS) color models in computer graphics, a generalization of the latter, the Generalized Lightness, Hue, and Saturation (GLHS) model, is introduced, derived, and discussed. It is shown that previously used LHS color models are special cases of GLHS and can be obtained from it by appropriate assignments to its free parameters. We derive some mathematical results concerning the relation between GLHS and RGB. Using these, we are able to give a single pair of simple algorithms for transforming from GLHS to RGB and vice versa. This single pair of algorithms transforms between RGB and any of the previously published HSL, HSV, and HLS models, as well as any other special case of the generalized model. Nevertheless, they are as simple as the separate algorithms published previously. Illustrations are given of color gamuts defined by various assignments to the free parameters of the GLHS system as they appear on the display monitor under the control of a Multiple Color Model Image Display System. Finally, we discuss briefly the potential for finding within the GLHS family a model that provides the closest approximation to a uniform color space. Such a model shares the perceptual properties of a proven uniform model and, at the same time, the algorithmic properties of the GLHS family.
Two experiments were designed to determine effective colors for stimulus lights as measured by speed of detection and accuracy of identification, Additionally, the nature of the interactions between stimulus color, background color, and amount of ambient illumination were assessed. Responses to four stimulus lights, viz., red, green, yellow, and white, were evaluated against four colored backgrounds, viz., copper, tan, blue, and green, under two levels of ambient illumination. Responses of 144 subjects were also evaluated according to sex. It was found that to choose the most effective signal color in a specific situation, stimulus color, background, and amount of ambient illumination must all be considered. The overall ordering of stimulus colors as measured by speed of responding was, from fastest to slowest, red, green, yellow, and white. For errors in color naming, the order from least to most, was green, red, white, and yellow. Detection and identification were more difficult under bright ambient illumination. The addition of an identification task added about 0.25 sec. to the response times for each color.
When a person searches for a target in a cluttered visual field his eye fixations typically fall on objects. The effect of target specification on the probability of fixating different classes of objects was studied. For fields containing objects differing widely in size, color, and shape: a high proportion of searchers’ fixations were on objects of a specified color, a moderate proportion of their fixations were on objects of a specified size, and a s light proportion of their fixations were on objects of a specified shape. When two or more target characteristics were specified, fixations were generally based on a single characteristic. It is proposed that the specification of a target creates a perceptual structure which the searcher explores. The study of visual fixations, in effect, is the study of the perceptual structure.
A variety of researches are examined from the standpoint of information theory. It is shown that the unaided observer is severely limited in terms of the amount of information he can receive, process, and remember. However, it is shown that by the use of various techniques, e.g., use of several stimulus dimensions, recoding, and various mnemonic devices, this informational bottleneck can be broken. 20 references. (PsycINFO Database Record (c) 2006 APA, all rights reserved).
Current security systems suffer from the fact that they fail to account for human factors. This paper considers two human limitations: First, people are slow and unreliable when comparing meaningless strings; and second, people have difficulties in remembering strong passwords or PINs. We identify two applications where these human factors negatively affect security: Validation of root keys in public-key infrastructures, and user authentication. Our approach to improve the security of these systems is to use hash visualization, a technique which replaces meaningless strings with structured images. We examine the requirements of such a system and propose the prototypical solution Random Art . We also show how to apply hash visualization to improve the real-world security of root key validation and user authentication. Keywords: Human factors in security, hash visualization, user authentication through image recognition, root key validation. 1 Introduction Although research in securit...
Although research in security has made tremendous progress over the past few years, most security systems still suffer by failing to account for human factors. People are slow and unreliable at processing long and meaningless strings, yet many security applications depend on this skill. For example, a major problem in user authentication is that people have difficulties in choosing and memorizing secure passwords. In this paper, we have investigated how the usability and security of user authentication systems can be improved by replacing text strings with structured images. Keywords Security, passwords, authentication, user interface
How to Generate Random Colors Programmatically
  • Martin Ankerl
Martin Ankerl. 2009. How to Generate Random Colors Programmatically.
Original website defunct at the time of printing
  • Andrej Bauer
Andrej Bauer. 1998. Gallery of random art. Original website defunct at the time of printing, now located at http: //
The effect of background luminance and contrast upon visual search performance
  • M Robert
  • D E Boynton
  • Boss
Robert M. Boynton and D. E. Boss. 1971. The effect of background luminance and contrast upon visual search performance. Illuminating Engineering 66, 4 (1971), 173.
Ssh Key Fingerprints, Identicons, and ASCII art
  • Tyler Cipriani
Tyler Cipriani. 2017. Ssh Key Fingerprints, Identicons, and ASCII art.
Website defunct at the time of printing
  • Terrence Cole
Terrence Cole. 2011. Vash. Website defunct at the time of printing, archive copy available at https://web.archive. org/web/20120428001217/
more-secure-experiment-in-password-masking/ Website defunct at the time of printing
  • Chris Dary
Chris Dary. 2009. HashMask. hashmask-another-more-secure-experiment-in-password-masking/ Website defunct at the time of printing, archive copy available at //
Password Visualization beyond Password Masking
  • Nils Gruschka
  • Luigi Lo Iacono
Nils Gruschka and Luigi Lo Iacono. 2010. Password Visualization beyond Password Masking. In Proceedings of the Eighth International Network Conference (INC 2010), Udo Bleimann, Paul S. Dowland, Steven Furnell, and Oliver Schneider (Eds.). University of Plymouth School Of Computing, Communications And Electronics, 179-188.
Remove password masking
  • Jack Holmes
Jack Holmes. 2014. Remove password masking. http://
VizHash GD -a visual hash
  • Sébastien Sauvage
Sébastien Sauvage. 2011. VizHash GD -a visual hash. https://
The Pros and Cons of Password Masking
  • Bruce Schneier
Bruce Schneier. 2009. The Pros and Cons of Password Masking. https: //
Mobile Design Details: Hide/Show Passwords
  • Luke Wroblewski
Luke Wroblewski. 2012. Mobile Design Details: Hide/Show Passwords.