Subscribe to keep up with my projects at the intersection of browser hacking, data visualization, and security.

Monday, March 5, 2012

Visualize your password age

Quick add-on download link:  Firefox

As I've written about before, I've been thinking a lot about applying data visualization to oft-ignored security problems. A vague notion like "I should be changing my passwords more often" can hang over your mind without actually changing your security habits. Without a firm idea of "which passwords" and "more often," it's likely you won't actually act on these good intentions.

A good visualization turns data into an actionable story. I thought about how to visualize password age, and here's what I came up with:



This is a bullet graph. You can think of it as a series of timelines. On the left, you can see a visual hash for each of your passwords. Each bar shows how many days it's been since you first used that password.

Once a password has been used for over 200 days, its bar turns red. Every time I've used that password on a new site, a black tick marker appears on the timeline. Looks like my oldest passwords are my most frequently used. Uh-oh.

Of course, the data here comes from your browser's password manager. Your passwords may be older than shown here, and you may use them on sites other than the ones it knows about. It's important to establish that this visualization can only show you a "best-case scenario."

That said, if you're like me, and have been using a password for no less than 275 days, you know where you can start improving your security. Now you know!

This add-on is available for Mozilla Firefox. After it's installed, open it by clicking on the small red padlock icon on the add-on bar.

If you find it useful send me your thoughts, and consider taking a look at my code.

As previously, this add-on was built with the brilliant d3.js library, which comes with handy example code for generating bullet charts.

Tuesday, January 17, 2012

Visualize your password reuse

Quick add-on download link:  Firefox

If you're like most browser users, you have an unfortunate tendency to reuse the same password across websites. As we're about to see, I've been plenty guilty of this in 2011. Have you decided on a New Years resolution yet?

It's a hard habit to break, because it's hard to tell where to start. Which passwords are you using the most? Right now, Firefox isn't that much help...





It seems like this data could benefit from better visualization. Inspired by a brilliant add-on called Collusion, I built this:

What you're seeing here is a rendering of my password reuse. The green dots (nodes) represent the passwords I'm using, and each small blue dot represents a site I'm using it on.

Hover over a password and see its visual hash:

Some users like to make many slight variations on the same password. That's fine, but still an example of password reuse. When the visualization detects two similar passwords, it connects them with a square orange node.

You can look at this and pretty quickly figure out where you should start changing your passwords first, and which passwords you should stop reusing. As you change your passwords and update your Firefox password manager, the picture will improve!

This add-on is currently available for Mozilla Firefox. After it's installed, you can access it by clicking on the small blue padlock icon on the add-on bar.

As before, I'd love it if you took a look at the source code, and sent me your thoughts.

Nerd details:
This is a force directed graph built with d3.js and SVG. Password similarity is calculated in terms of edit distance.

Tuesday, December 13, 2011

Visual password hashing for your browser

Quick add-on download links: Firefox Chrome

For the past few months, I've been exploring the current state of privacy on the web. I've also started building a set of tools designed to inform and empower the user by making the browser smarter. Of course, that broad goal could have taken me in many different directions (and as you'll soon see, it did) but I'm now ready to share my first tiny step down the most immediate path toward privacy management.

That most apparent path, I think, is better password management. Firefox already is pretty smart about discovering your passwords when you enter them into a form, and filling out forms on the web automatically. Firefox password storage is encrypted on disk with a master password, but the setting to change the master password isn't as discoverable as the password manager itself. The password manager does have a very simple interface allowing you to manage accounts and view passwords, but it offers no guidance to the user as to use passwords wisely.

I began thinking about what a modern password management system might look like, and how it could actively nudge the user to make better privacy decisions without becoming ignored (or worse, hated) the way software usually is when it interrupts the user.

With that in mind, my first step to a smarter password manager was to experiment with visual password hashing. As far features go, it's almost entirely unobtrusive. It's worth an explanation, in case you haven't seen it before. Visual hashing allows your computer to display something about the password you've entered without actually displaying your password on the screen. The idea is to map the set of all possible passwords to a (smaller) set of visual cues. For now, I'm using four colors.

As you type your password, the four colors change. As time goes by, you'll remember your four colors and never attempt to log in with a mistyped password again.

Of course, visual hashing is usually thought of as a feature designed for the sake of convenience rather than security. It does make password memory easier, which could make harder to remember passwords more manageable. As a feature within a password manager, I think it shows great promise as a UI metaphor for displaying your passwords on screen.

Additionally, there may be a genuine security gain from a password manager storing only the visual hash of a particularly valuable password. That manager could still provide a password hint to the user and keep track of where passwords are being reused. All without having to deal with the problem of storing a password on disk securely with a master password, as I imagine many browser users don't.

One last thought: I was briefly concerned about unsalted password hash information leaking out through screenshots, which could be useful to someone trying to crack a password. To deal with this, the colors that are displayed are modified slightly each time, so that a visual hash doesn't tell you the password's exact hash, while still being instantly recognizable to the eye.

The visual password hashing add-on works automatically on every website you visit, and is available for both Mozilla Firefox and Google Chrome. Try it, and let me know what you think. Send comments to watchdog@paulsawaya.com.

And, of course, check out the source code.
Creative Commons License