Author Topic: Master Password confirmation indicator  (Read 11843 times)

Offline pgimeno

  • Jr. Member
  • **
  • Posts: 11
Master Password confirmation indicator
« on: May 07, 2013, 06:11:33 PM »
I've made a change to my PasswordMaker HTML/JavaScript version (my local copy of http://passwordmaker.org/passwordmaker.html) that I think can be interesting for others. It's a quick hack I made for myself, but extendable to a general-purpose feature.

The idea is as follows: have a "checksum" of short length, to confirm that the master password is correct. The "checksum" can be made of the first digits of any hash, for example; it doesn't have to be cryptographically very strong.

In my hack, there is a red space character right after the password entry field, which turns green as soon as the password is entered correctly. The "checksum" is hardcoded (as a quick hack it is) and consists of the last four hexadecimal digits of a SHA-256 of the password. That gives a probability of false positive, in case of entering the wrong password, of 1/65536. That makes me very reasonably sure that I didn't enter the master password wrong, which is especially important when creating one and has always worried me in past, making me go paranoid retyping it several times and checking if the generated value was the same every time. It's a big relief to have that now.

This is the way I devise a generalization of that option: have an input field of a short length, where you can enter up to, say, 4 digits of the "checksum" (to not give too much information about the password). Have a button to its side that generates it from the currently typed master password. Save it with the rest of the profile data. Use it to verify if the password matches the "checksum", and show an indicator of whether the password is entered correctly, which is updated as you type, as follows: if the field is empty, don't check the password; otherwise check if a certain hash of the password starts with as many digits as entered and show the result.

Now that I have it, I can not live without it :D so I thought I'd share the idea just in case it's useful to anyone else.

PasswordMaker Forums

Master Password confirmation indicator
« on: May 07, 2013, 06:11:33 PM »