Is getpass.io secret-based artwork a threat?

Question

When typing a secret keyword into Getpass, a little jdenticon is showing on the right, based on the secret that was entered. The FAQ on Getpass states the following about it :

Did you notice that secret keyword is obscured? If yes, than this is a way to visually represent a hash of your Secret Keyword, based on jdenticon library. This is the way to ensure that your Secret Keyword is typed correctly, without revealing the actual letters you have typed.

Doesn't that completely defy the purpose of obscured fields in applications ?

I get that the generated icon is based on a hash, so it's not reversible. But this still provides direct information about the password. Such information would be completely obscured if the artwork was absent.

For example, if I know the artwork of an horrible password, like 'password123', shoulder-surfing my colleague when they're typing their password on this page would already tell me that their password is/isn't 'password123'. This wouldn't happen if the artwork was absent.

Am I paranoid ? Is this something that can safely be done ?

Answer 1

Paranoia of authentication systems is considered the default and healthy state, here.

While you're correct that shoulder surfing is the threat model that the site is trying to mitigate, unless your cubicle-mate and evil maids already have a good idea of your password and just want to verify it, they're unlikely to know the jdenticon pattern. Someone who you share passwords with may be able to recognize an insecure password, of course, if they also use that system, so don't share passwords.

Still, some can argue that the jdenticon should be hidden by default, and only visible with explicit user interaction if you need to verify that the secret was entered correctly, just as the eye-with-a-slash icon also shows the plaintext of your secret. If you think that shoulder surfing may be an issue, you can pre-emptively hide the jdenticon using CSS override extensions in your browser.

This is a somewhat moot point, though, as services like Getpass encourage low entropy passwords and password reuse, despite their best intentions.

With a deterministic password generator and several known (no entropy) values as its input, such as your username and the site's name, the only entropy left comes from your Getpass secret keyword. While most people won't be targets of spear phishing attacks, if you are, and attackers determine that you're using a deterministic password generator, then they can brute force that secret keyword. They won't need physical access to any of your devices, and won't trigger emails notifying you that a new/unknown device logged into your password manager.

Instead, use a password manager that generates a password from high entropy sources, and that either requires physical access, or notifies you of unexpected access.

Deterministic password managers do not add security, they only add obscurity.