Passpics: A Picture Is Worth a Thousand Passwords

Using passwords as the primary authentication mechanism in the digital world is painful. Although password cracking techniques continue to get faster and we are called on to make our passwords longer and stronger, our brains (and fingers) still face the same humble limitations they did when we struggled to remember our first email account login.  If we continue along the current trend towards longer passwords, it feels like we’ll eventually be asked to type in 2048-bit keys. I’m sorry, but for a guy like me who can’t even remember to buy the milk, that’s just not going to happen.

Password managers can address some of problems associated with passwords, but they don’t provide a long-term solution.  Password managers are a big target, and even really good ones can be attacked in a manner that puts you at risk. I don’t like the idea that the failure of one piece of software jeopardizes all of my digital security, and I don’t want to always have to install another piece of software just to access my accounts. Additionally, at the core, they’re still using passwords to communicate shared secrets, and even properly procured passwords will pose little issue to the coming legion of super machines.

What we need is something that we can start using now that provides better usability and stronger security. Thankfully, we already make use of a technology that can fulfill our authentication needs: images, which in this context we’ll refer to as passpics.

Passpics Offer Improved Usability

Let’s start with the task of taking and uploading images. Whether you’re on Facebook, Instagram, Twitter, or the Browncoats forums (hey, it’s the best sci-fi show ever,) you’re inevitably going to see images that users of all different backgrounds and skill levels have taken and uploaded without any fanfare. Today’s hardware and software applications make taking and uploading images so easy that even a monkey can do it (even if it doesn’t possess the copyright.)

The findability of passpics also seems quite reasonable, too. Users have become accustomed to organizing their images by directory and/or tags in various software applications. Additionally, many operating systems allow you to visually scan directory contents by providing thumbnails of the files, including images. Of note, I’m not advocating naming or tagging an image with a label like “passpic important”, but I am saying if you know one of your passpics contains a horse, you may browse for it in the “farm” directory or tag it “Mr. Ed.”

Images are also very memorable, making it likely that users will be able to successfully recall sets of passpics. While passwords typically require free recall, images can benefit from recognition-based recall, which typically leads to better performance.  Images provide other memory advantages, too. The method of loci, which uses visual imagery to enhance recall and has been used for centuries, reveals the profound improvements visual imagery can have on memory tasks.

Passpics may also offer advantages in terms of entry accuracy. Because of the funky characters and uncommon key combinations, passwords can be typed incorrectly, especially as they grow longer and our keyboards grow smaller. In contrast, passpics require the selection of one or more image files through the file viewing interface. While the manual entry time may be longer for passpics, the entry accuracy seems likely to be at-or-better-than passwords. This accuracy may allow authentication providers to more quickly lockout nefarious login attempts. User research in this area will be interesting.

Passpics Provide More Protection Against Brute-Force Attacks

When you take that all-important selfie, your smart phone processes a tremendous amount of visual information to create the image file. In fact, even after lossless compression is performed (i.e., the size of the image is reduced but the quality remains unchanged), images remain large files because of the inherent entropy (i.e., information that can’t be predicted by using the other information in the image) contained in high-resolution images.

Practically speaking, no two images captured by a camera will be exactly the same (even if you try really hard to capture the exact same scene.) That’s because the vast amount of information recorded in an image is subject to tolerances in camera sensors, variations in lighting, and changes in the precise placement of the camera. Essentially, anyone with a digital camera can, with but a click of a button, create a wholly unique authentication token that is far more difficult to guess or brute force than any password, passphrase, or cryptographic key currently used for online encryption.

Passpic Theft Concerns

Those with security backgrounds may be concerned about a form of one-factor authentication that makes use of “something you have.” That is to say, when using an authentication token, because of the threat of theft, a two-factor scheme is often implemented (e.g., an ATM requires a PIN in addition to the possession of a bank card to login.) How should we handle these concerns?

Practically speaking, passpics are often at least as secure as passwords in terms of theft. If the transmission or online storage is the weak point (e.g., lack of SSL, weak password hashing, etc.), passwords are just as vulnerable as passpics. However, if one is focused on the specific concern of a user’s passpic being stolen because it’s something they have, not something they know, practically speaking, this isn’t a compelling argument. Users often alter passwords into something they have, as they tend to write them down somewhere (and prominent members in the security community have advocated this approach.) So, passpics are often no worse than passwords in terms of theft risk.

That said, we can significantly mitigate the risk of theft of passpics by adding a “something you know” authentication factor. Encrypting a hard drive is quite easy on many operating systems, which, in the case of physical theft of the hardware, renders the authentication token(s) unusable unless the operating system’s encryption is successfully attacked or the attacker gains access to the account password. And, yes, it’s ironic I’m touting a security mechanism based on passwords as a fix, but you have to pick your battles.

Even if an attacker does gain access to a computer with stored passpics, they are not assured of successfully attacking the login system through theft. Most people today have hundreds if not thousands of images on their computer. Unless the user names the image “my-bank-passpic.jpg”, an attacker would have to try many different images to find the correct login. Still, this isn’t a terribly difficult task for attackers. What else could we do to mitigate theft risks?

There is one crucial implementation detail that I’ve hinted at, but haven’t stated explicitly until now: users must be able to submit a set of passpics to login. This one feature provides a significant security boost across the board in terms of mitigating attacks, but especially in terms of theft. For example, if a user submits a set of three images to login at their bank, and even if they only have 1000 images total on their computer, the number of possible passpic login sets would be more than 160 million. More importantly, users could conceivably diversify the storage locations of passpics within a set (e.g., store one passpic in the cloud, one passpic on their hard drive, and one passpic on a microSD card), making the theft/compromise of one device/service insufficient for a successful attack.

Potential Problems With Passpics

Passwords are often masked to prevent shoulder surfing from compromising your password. For those outside the security community, shoulder surfing is when an attacker views your screen while you interact with your computer/device, providing the opportunity to steal information they can see. In the current implementation of file uploads in most browsers, an attacker who can view your screen while you login could at least identify the images used to login.

Is password masking important? Some have argued that password masking is unneeded, but the subsequent fury of the masses revealed that most security-conscious users deem this form of security a necessity. If an attacker does successfully shoulder-surf your account credentials, they can login to your account. However, unlike passwords, it’s not enough to see the passpics used. The attacker would have to gain access to the actual image files to successfully login to your account. Frankly, I’m unsure how big an issue this is and/or how best to approach it, but I do believe it’s an important consideration moving forward.

Images are relatively large files, so having to upload one or more passpics every time you authenticate does present some concern in terms of response time and network use. That said, most login systems build in a certain amount of cost for password hashing, so login systems already involve an increased response time. In terms of network resources, users have the ability to resample images to smaller sizes that better match their particular network capabilities. Even a grayscale 300 x 300 JPEG image requires a much larger search space for brute-force attacks than the best passwords. Granted, this presents a significant usability issue, and something that may have to be better addressed before passpic can be used by the masses.

One other problem with passpics is the potential for Denial-of-Service (DOS) attacks. Online services would have to allow relatively large file uploads if all of the processing was handled server side. Preventing attackers from leveraging this type of permission would present some challenges. Services could push the processing of the images client-side, but this presents its own challenges. Again, I’m not advocating a particular solution, as I merely want to present this potential issue as something that merits careful consideration.

What about social media, do passpics uploaded to public sites weaken the security? Possibly. If you have a Facebook account and you upload one picture, and that one picture is your passpic to your bank, yes, you are screwed. Just as people can choose poor passwords (you have one daughter Shelly, also noted on Facebook, and “Shelly” is your bank password), they can choose poor passpics.

That said, the public availability of an image does not necessarily make it inappropriate for use in a passpic set. For example, one could securely use an image from Facebook, an image from Dropbox, and an image not uploaded anywhere else from their local computer to form a secure passpic set. As long as one passpic is “private” (i.e., only available to you) in the set, the security remains very strong.


We already use images all the time in our digital lives. Because of their inherent advantages in terms of usability and security, it makes sense to leverage them in the form of passpics for authentication.

XSS Prevention in Four Simple Steps

Preventing Cross Site Scripting (XSS) attacks is a daunting task for developers. In short, XSS attacks are an injection attack in which data that is structurally significant in the current context changes the intended semantics and/or functionality. While there are great resources online that walk you through prevention techniques (one of the best security resources is The Open Web Application Security Project, or OWASP, website), it’s easy to get confused when you try to implement all of the necessary safeguards.

Below, I’ve outlined four simple steps that significantly lower the risk of XSS attacks against your website. By being a bit more restrictive, we can simplify our approach to preventing XSS Continue reading XSS Prevention in Four Simple Steps

Obscurity by Security

What do I mean by “Obscurity by Security?” Keeping watch over the security requirements of simple applications, websites, large data stores containing sensitive information, or even the IT holdings of multi-million dollar corporations is unlike most other jobs.

When a team cranks out a new iteration of the product with significant UX enhancements, noticeable performance increases, or demonstrated results in analytics, techies and non-techies alike can realize the enhancements and verbalize praise for the effort. After trying out the new sign-up form, a CEO may exclaim in the weekly executive meeting, “Great job! The new sign-up really flies, and my wife loves the look.” An office assistant may point out over lunch that the new website looks great on their brand new smart phone. And, customers will sometimes go out of their way to contact the company to let someone know that “Cheryl Smith provided fantastic customer support by quickly helping me recover all of the images I’d thought I’d lost.”

Sure, the feedback isn’t always positive (sometimes the CEO hates the new sign-up form, etc.), but the potential for fellow employees, industry peers, and/or general customers to notice and compliment nice work is there.

When do those in charge of security Continue reading Obscurity by Security

Java, I’m growing weary and leery

Java, you’re a practical, performant option for development across the gambit of hardware solutions. You have wooed some of the most brilliant language designers, and they’ve responded to your advances with with new languages and runtimes that whisper sweet nothings into developers ears, all-the-while placating the cravings of managers for tried-and-true. But, you’ve changed, Java.

I used to, in my naive youth, pine for the security associated with your presence from afar, as I contrived my code to the whims of my clients’ environments. Now, I fear you’ll rise from the deep and snatch away the pleasure of my current fancy (Clojure) through yet another exploitation of your capricious complexity.