I don't buy the claim of non-reversibility here. The colors are generated by hashing using MD5 three items:<p>1. Domain specific salt (which is just the document.location)
2. User specific salt (which has a default value and even if it was loaded based on the user name an attacker could retrieve it)
3. The password typed so far<p>1 and 2 mean that the salt is virtually useless. It's not a secret.<p>The colors are generated by extracting 6 digit chunks of hex from the hexadecimal MD5 hash. And the full entropy in the MD5 isn't used.<p>So, it looks to me like someone who observes the username and the colors generated could look up the password in a rainbow table quite easily. Since they've also got the number of characters in the password it makes generating test passwords really easy.<p>Code is here: <a href="http://github.com/axemclion/Chroma-Hash/blob/d6703e670f8447640adba29838adb57d28369f16/chroma-hash.js" rel="nofollow">http://github.com/axemclion/Chroma-Hash/blob/d6703e670f84476...</a>