I had the weirdest dream last night. Apropos of nothing, I was meeting with Ev Williams, cofounder of both Twitter and Blogger, in his office to talk about something I can’t recall. It’s weird because in real life I haven’t talked to Ev in six months, and I don’t know why he wandered into a dream, but I’m getting off track. Long ago, Ev had some trouble with password cracking, and as I walked into his office, we exchanged hellos and he turned to his computer to show me something, and before he could do anything, he had to login.
After tapping the keyboard to bring the operating system to life, his screen filled with a weird scan of a magazine page, and he tapped with his finger in several key places which lit up in red, in a specific sequence, then we saw his desktop (my quick finger-on-iPad mockups shown below). I stopped him and asked what exactly did I just see?
He said to thwart break-ins to his computer and accounts, every week he would grab a random page from a magazine, hold it up to his front-facing camera to take a shot of it, then would select a “password” by choosing a sequence and locations of things to tap on. I then asked if it could work for website logins too and he said yeah, the new WebRTC functionality would allow for such a thing. Then we moved on to talking about something else and I soon woke up.
It was an oddly specific dream, and I don’t normally remember this much detail, but I guess I knew at the time I was experiencing this that it might be a good idea in the real world and solve some problems people have with passwords. I’m no cryptography expert, so I don’t know if picking out features on a page is more random than coming up with strings of digits and letters. It would seem like on the surface, you could try and crack visual login systems like this with simple OCR and photo recognition, and simply make guesses to the bits that stand out the most. Another thing that came to mind in thinking about the security of this idea is how many possible tap points are there on a scanned page? Is it obviously much less than the number of possible keystrokes in a typical password? Finally, this would add an obvious problem to anyone with impaired vision, which current passwords don’t cause.
Anyway, in the spirit of sharing wacky ideas in my head in case someone else finds it useful, I present my goofy dream about image-based password security systems. Let me know if anyone builds such a thing someday.
update: Whoa, looks like Windows 8 has a sort of similar option called Picture Passwords, I imagine it could use a more complex image than a simple photo of a dog or a person and instead you could use something like a scan of a newspaper or magazine.