Visual fingerprint (or visual checksum) is here to help detect and correct typos on the master password.

This repository includes several separate implementations of LessPass. This document aspires to be the reference specification to which all implementations shall conform.

When you type, icons will change randomly, this is a feature to prevent information leak as we used to compute the hash on each new character (this is not the case anymore :).

The delay you have before getting a new set of icons is due to the randomness issue and the time it takes to compute the real hash.

Revealing the Master password when you click the fingerprint is a feature not a bug. When you have a long passphrase edit it is faster than re-typing the whole thing.

Do not screen share while using visual fingerprint!

Everybody watching can recover your master password. They just open it the same way and try each letter to guess each letter of your password until the emoji match. For example if see this 🧪🏦💲 it means their master password starts with a.

If you are pasting in your entire master password (not typing it letter-by-letter) then only 16.4 bits of information is revealed. This makes guessing your password 100,000 times easier (45^3, the entropy space of the emojis) than random guess.

There is a partial mitigation implemented that helps a bit if you type quickly.

Visual Fingerprint is also supported, but not all configuration works. Below we describe the configuration know to work: Note: visual fingerprint is generated when you type the master password. Thus, if you set LESSPASS_MASTER_PASSWORD variable, you won't be asked for it your password will be printed directly.