Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Cool, but still vulnerable to attack by someone who can record video (or with really good memory). Even though the visualization is taken from a relatively small set of three-colour triplets, an attacker who has seen the visualization for every prefix of the password has enough information to figure out the password in linear time.


There could be a little animation or delay before showing the final "hash". Only the colors for the complete password are important.

And if somebody can take video of the screen they could take video of the keyboard too, no?


Um, what? It's not like you have to be an attacker to want to film someone using a computer screen. You've never seen a Google Tech Talk? You've never been to a conference?


If someone is already shoulder surfing, wouldn't it be easier to look at the hands and keyboard than at the colour bars and asterisks?


I was thinking more of the case where someone thinks "how much information about my password could three patches of colour reveal?" and logs into their account during a recorded presentation.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: