Hash string UX

Updated November 24, 2019

There are big UX differences between hash representations, and using the wrong hash representation can open the door to phishing scams.

TLDR: Special characters are snares. Base58 is great.

Make it easy to see at-a-glance

All hash strings are equally meaningless, but some are more confusing than others.

// Visually uniform, single shape
Z10KB012LOWEH30B09UIDK2L34E

// Visually chaotic, many shapes
A~o]O;%1hIi_-$1;:134).?=3aH

Rather than drawing attention to the individual characters, we want to make it easy to perceive the hash as a single unit (Gestalt principle). Having a more visually uniform string of characters helps us see the hash as a single shape, rather than a collection of individual shapes.

Make it easy to copy

Try double-clicking somewhere in the middle of this hash.

&Pe5kTo/V/w4MToasp1IuyMrMcCkQwDOdyzbyD5fy4ac=.sha256

You would expect to have the entire hash string selected on double-click, but the special characters break it up into separate chunks.

Special characters don't just break up the hash visually, they also break it up programmatically, thwarting the text-selection affordances of most operating systems.

This forces users to manually select the text range, and increases the chances of mistakes. Multiply this error rate over every time a user has to select a hash — this causes serious friction.

Make it hard to spoof

Bitcoin goes one step further and uses Base58 for hashes, because it will not produce visually identical looking characters.

From base58.h in the Bitcoin source code:

/**
 * Why base-58 instead of standard base-64 encoding?
 * - Don't want 0OIl characters that look the same in some fonts and
 *      could be used to create visually identical looking data.
 * - A string with non-alphanumeric characters is not as easily accepted as input.
 * - E-mail usually won't line-break if there's no punctuation to break at.
 * - Double-clicking selects the whole string as one word if it's all alphanumeric.
 */

This prevents phishing-type attacks where the attacker spoofs an address using characters like O0, or Il1 to create identical-looking addresses.