Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use color to obscure text Apps
I keep track of passwords and other sensitive information in a Rich Text TextEdit document and store it in an encrypted disk image. This way I have a reference for this information when I need it, but it's secure until that time. However, I occasionally need to access this document while another person is at my desk, and I don't want to risk them casually seeing anything I don't want them to see.

My solution, which I think I saw somewhere else several years ago, was to change the text color of the sensitive parts of the file to white and delimit it with something obvious. For example, I might have an entry like the following in this document:

Server username/password: . Bob ./. $w0rdf1sh .

By changing the colors of the text for the username and password to white (or whatever the background color of the document it, but that'll almost always be white), the text between the periods for each field becomes invisible. To see it all I have to do is highlight it, which allows for selective viewing of just the part(s) of the document I want to see.

In TextEdit this is easy with the 'Show Colors' menu option in the 'Format » Text' submenu, which is easily accessed with the Cmd-Shift-C keyboard shortcut. Just highlight the text you want to obscure, possibly by using the Command key to select discontinuous pieces of text, then set the text color to white. The delimiters (I use periods) indicate where the hidden text is, and I add some arbitrary white space around passwords so that the size of the space between the delimiters isn't a clue as to how long the password might be. This is certainly not a substitute for secure storage of information, but it can help reduce the likelihood of an over-the-shoulder type of information leak.

[crarko adds: I tested this, and it works as described.]
    •    
  • Currently 2.13 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (39 votes cast)
 
[6,123 views]  

Use color to obscure text | 18 comments | Create New Account
Click here to return to the 'Use color to obscure text' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use color to obscure text
Authored by: greed on Jul 08, '10 07:53:55AM
The website TV Tropes (caution: may result in massive loss of productivity if visited) uses the same technique to hide spoilers. It works quite well for accidental-disclosure protection.

[ Reply to This | # ]
Keychain
Authored by: PatrickS on Jul 08, '10 07:53:58AM

This may be useful if you intent to use the same file across platforms and don't want to invest in a multi-platform password manager. May need some experiments regarding usable/standardized colours though.

For Mac-only use: Why not use the Keychain to store passwords and other sensitive stuff? It even has a "copy to clipboard" function for the password allowing to paste the password into a web form without ever displaying it on the screen.



[ Reply to This | # ]
Keychain
Authored by: mkluskens on Jul 09, '10 07:23:10AM

Storing a password in Keychain Access and in a document on an encrypted disk image both result in roughly the same level of security, but highly dependent on which version of OS X and if you activated Windows File Sharing. I don't have experience with other password storing products nor have I read reviews by security professional regarding their strengths and weaknesses.

With Keychain Access you are telegraphing your intent to view a password, but you can make it go away with cmd-w as soon as you have seen it.

With the white-on-white encrypted document it's a bit less obvious that you are going to look at a password and depending on the font size and highlight color it might be impossible for another person to read unless they are as close as you are to your screen and/or have better eyesight then you and you only have to view part of it.

I'm not sure about documentation on breaking encrypted disk images, but anyone in that business probably has access to that information, but I doubt a 5th grader could do it.

Access to your passwords in Keychain Access is granted to anyone who can enter your password, which could be obtained by cracking the password hash or hashes stored on your boot disk (in /var). If you are foolish enough to enable Windows File Sharing under 10.5 or later then getting your password is trivial as the password hash stored to enable Windows Sharing is trivial by today's standards (I tested this on a previous release of OS X and in OS X 10.5 Apple finally warned the user about this). 1 TB hard disks with hash tables for passwords up to 14 characters have been widely available since 1 TB hard disks came out but mostly with Windows LM & NTLM hashes (currently sell for $500) (google "rainbow tables" for documentation on this topic. Web sites exist were you submit the hash and they give you the password). The location of the OS X password hashes is documented so a 5th grader with access to google could probably figure it out. I found step by step instructions last time I researched this issue. FileVault under 10.3 and 10.4 was insecure unless you knew to disable the LM and NTLM hashes, those are disabled by default under 10.5 and later. As a side note, virtually every install of Windows XP and earlier has the LANMAN (LM) hashes enabled making it truly trivial to crack their passwords, and Apple "supports" Windows File Sharing by storing your password in the LM and NTLM hashes. The other choice for Windows File Sharing on OS X is the NT hash which is only slightly stronger, but I think OS X creates them both if you turn on File Sharing in 10.5 & 10.6.

I don't know if Apple is finally using a "salt" with their password hashes, for a long time they weren't, so even with LM and NTLM disabled, cracking the OS X password hashes was doable as I think they are/were using MD5 for which rainbow tables exist and are useful if a salt is not used. Even SHA1 is believed to be at risk now.

The earliest and only rainbow table I built was for the TRS-80 Model 1 and I printed that one out. I downloaded a CD that will boot an XP machine into Linux and automatically crack its passwords if the Lanman (LM) and NT hashes (NTLM) have not been disabled, I found it helpful as I tend to forget the admin password on my home XP iMac (XP is for gaming right? ;-) ).



[ Reply to This | # ]
Use color to obscure text
Authored by: BlaatMekker on Jul 08, '10 08:09:54AM

Repeat after me: security through obscurity is not security.



[ Reply to This | # ]
Use color to obscure text
Authored by: adrianm on Jul 08, '10 08:13:29AM

One word: Keychain.

---
~/.sig: not found



[ Reply to This | # ]
Security through obscurity
Authored by: alblue on Jul 08, '10 08:55:26AM

This is a complete travesty of security. Not only does making the colour white only apply to viewing the text in TextEdit (the password will still remain visible in the file, after all) but changing the text to 'text only' is a trivial way of revealing what's there. Exactly the same argument would apply if the file were HTML, for example.

Apple ships 'Keychain Access' which is used to store passwords and other secure media in a way that can only be seen if you've logged in and supplied your password. Everyone has one of these set up by the system, but you can create additional keychains (each with their own master password) if you want. If you need to store passwords, then using anything other than Keychain access (or a similar tool, like gnupg) is a complete waste of time and security.

Frankly, this is not a hint that should be repeated to the internet at large and I urge the moderators to remove this, less a google search turns it up and people think 'oh yeah, that's a good idea ...'



[ Reply to This | # ]
Use color to obscure text
Authored by: butteforce on Jul 08, '10 10:23:50AM

It's on an encrypted disk image. Unless it's mounted, no one's reading the .rtf. The color obscurity isn't securing against someone getting the passwords, it's security against casual observation. That's pretty clear for anyone who didn't skip reading the first paragraph.

Keychain isn't very portable and it's pretty clunky for copy/paste use when you're working out of a terminal. To copy a password out of Keychain Access, you'll be entering a password for each one of them. Not only that, but there's no way to obscure the usernames in it either. Now, if there's a terminal app that can hook the keychain for passwords when you're connected to other servers, that might be something. But as is, it's a poor solution.

Frankly, I find it to be a lot more ingenious of a method than my previous "write 47 passwords on a tiny card" one.



[ Reply to This | # ]
Use color to obscure text
Authored by: PatrickS on Jul 08, '10 11:16:42AM
Have a look at the comments here on how to access the keychain from the shell.

[ Reply to This | # ]
Use color to obscure text
Authored by: brh on Jul 08, '10 10:24:45AM

Did you folks read the hint? Submitter keeps the file in an encrypted disk image - that's the real security. It's not just some file floating around in the clear for anyone to access. The color thing is just an additional layer so that if the submitter needs access to a password, and someone is lingering around their area, they won't see the entire list.

I agree that there are better ways to do this, such as keychain - though keychain won't be cross platform. But I think people are being a little unfair here in assuming that the color trick is the first line of defense here…

Edit - got beaten to the punch there…!

Edited on Jul 08, '10 10:27:15AM by brh



[ Reply to This | # ]
Use color to obscure text
Authored by: joeyblades on Jul 08, '10 10:54:30AM

I think you guys are being too hard on djdawson. After all, they did say that the file is on an encrypted disk image. The only goal was to make the data 'invisible' to the casual observer who might be looking at the display. The file is still secure when the disk image is unmounted.


Also, the Mac keychain is not as secure as you probably think it is. Most people (the few that actually use keychain) just use the default login keychain, which is essentially always unlocked while you're logged in. Yes, you can use alternate keychains and you can manually lock and unlock keychains, but all of that requires the user to have some level of discipline that most users lack.



[ Reply to This | # ]
Use color to obscure text
Authored by: crazyj on Jul 08, '10 11:51:06AM
1Password is so much more secure for this and it is cross platform including iOS. By default 1Password does not show the passwords on the screen and simply clicking on the masked password copies it to the clipboard for pasting where needed, meaning you never have to reveal the password on screen if you do not want to. Their support also rocks and they release updates very frequently.
---
Sr. Editor, MacSlash
macslash.org


[ Reply to This | # ]
Use color to obscure text
Authored by: joeyblades on Jul 08, '10 03:58:01PM

Not to hijack this thread, but...

I'm sure 1Password is very nice, but KeePass (KeePassX on Mac) seems to offer the same functionality, works on nearly every platform including most smart phones, all your instances can share a common database, and KeePass is free.



[ Reply to This | # ]
Use color to obscure text
Authored by: stepwallace on Jul 09, '10 05:56:00AM

"Not to hijack this thread, but..."

I use lastpass (which is free, unless you want to use it on your iPhone too), which I found to be superior for cross platform ease of use to KeePass. It's built into the browser so integration doesn't vary from platform to platform. KeePass is great for storing and managing passwords, but manually syncing the password file + not integrating the same on different platforms just made it a pain for me to use.

That said, I agree whole heartedly with the poster that keeping a local copy of password (in an encrypted archive or disk image) is smart planning. I also think the idea of storing the passwords as white space, is a nice way of preventing shoulder surfing should you have to rely on your local copy.

---
__
http://www.step.net.au



[ Reply to This | # ]
Use color to obscure text
Authored by: everkleer80 on Jul 09, '10 06:34:50AM

I know many people have said this already, but it's amazing how many people don't bother to read (or pay attention to) THE FIRST SENTENCE OF THE HINT before making comments like 'changing the color is not security!' I've seen many hints where a lot of the comments assumed that the hint was trying to to something that it was not. Anyway this is a good tip and I used to do something similar myself in a program I had designed.

I now use 1Password which is great for my needs with it's easy integration into all browsers and it's iPhone and MobileMe sync options, but I may check out the free solutions when it comes time to upgrade. Thanks for mentioning them!



[ Reply to This | # ]
Just use the keychain
Authored by: mdmac on Jul 09, '10 11:15:35AM

WTF are you doing? Just use the Keychain!



[ Reply to This | # ]
Use color to obscure text
Authored by: osxpounder on Jul 09, '10 01:06:43PM

Nice hint. Thanks.

BTW, you might want to consider TextEdit's spellcheck feature. It makes little red dots appear under the white words on that white page. Could be good, could be bad. Just wanted to point that out so you could disable, if you wish, that automatic spell checking feature.



[ Reply to This | # ]
Use color to obscure text
Authored by: ottonomy on Jul 10, '10 07:35:22PM

I'm another contented 1Password user, but I have to say I love this hint, if only for the related uses it brings to my mind. Many are the times I've wanted to tap some thoughts into an email or text file, so as not to forget them, but felt the presence of intruding eyes behind me. I'm confident enough in my typing skills to believe that I could get the gist of an idea hammered out without being able to see my progress, albeit perhaps riddled with a few typos. If only I could observe the bemused expressions of the onlookers as I dash off blank emails to myself... wait, that's what the iSight camera's QT recording function is for...



[ Reply to This | # ]
Use color to obscure text
Authored by: andy8429 on Jul 13, '10 07:23:08AM

That's an interesting idea. I agree that it isn't the best security you could have but it's better than nothing. I think it will a good idea when you're out and about as a partial soluion. After all you never know who's peering over your shoulder. You should be able to trust work colleagues but of course we all know you can't alas.



[ Reply to This | # ]