Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
"Bun is such a sad word, is it not?" -- Watt, "Waiting for Godot"

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


           

Please log in.
Before you can vote, you need to register. Please log in or create an account.

Password hash

You have 3 attempts to type in your password,
 
(+1, -1)
  [vote for,
against]

Why not memorise an additional number which is a hash of the password that you can display on the login form to prove you got the password typed right before you waste an attempt

Lotus notes did this

chronological, Mar 19 2024

[link]






       Someone looking over your shoulder may be unsure exactly what password you've just typed in. However, if they've got a few of the letters from watching you type, and they know the hash (because it's displayed on screen), then it's a much simpler task to 'brute-force' guess the remaining letters until the hash is correct.
hippo, Mar 19 2024
  

       If you lock yourself out of your Google account, it's gone for good, there's no customer support.   

       There must be an amendment that solves hippo's mentioned problem with this scheme.   

       Good security advice is that you have a different password for every account that you own. This means that you should memorise a different secure password for every service.   

       Banks, email, pension, shops, employer passwords and so on   

       If you lose your phone and use a password manager and you have 2FA enabled, you have 3 attempts.
chronological, Mar 19 2024
  

       //Someone looking over your shoulder may be unsure exactly what password you've just typed in. However, if they've got a few of the letters from watching you type, and they know the hash (because it's displayed on screen), then it's a much simpler task to 'brute-force' guess the remaining letters until the hash is correct.//   

       Actually, that's not /necessarily/ the case. Not to any significant degree, anyway.
I mean, the 'user memorised hash' doesn't have to be a big complicated cryptographically secure hash, because if I understood the idea correctly, its purpose is just for client-side user confirmation.
It could be more like the 'check digit' of a credit-card number. I'd go for something like two alphanumeric characters, that is, 1296 values. Or maybe actually just a subset of that - 1024 values (or even, 256), to make the calculation straightforward. It doesn't have to be stored server-side. It would be something shown as they type, so they could confirm that the value they've entered has a good chance of being correct. With long passwords you can't check on the screen, or short passwords with numbers and symbols, it would be very handy.
  

       When the user enters a password, they would be shown the short hash of what they typed. Obviously on a correct password a shoulder-surfer could learn this information, which marginally improves their chance of cracking it. But they can do better - if the hacker is already watching them type, the doors are kind of already blown clean off any security.
Loris, Mar 19 2024
  

       A hash is a dish consisting of chopped meat, potatoes, and fried onions. If you substitute the potato element of this dish with alphabet pasta (known as alphabetti spaghetti in the UK), you could make a genuine password hash.
hippo, Mar 20 2024
  

       I would reduce the hash to 4 icons. If I've typed it correctly I'll see duck, stapler, peanut, walrus.
Voice, Mar 20 2024
  
      
[annotate]
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle