Ask HN: Why aren't images used as passwords?
We can all agree the state of password management on any platform isn't ideal, but some are better than others. Textual passwords are needed for some use cases obviously, but at large this isn't the case. With steganography or simple checksums alone I could easily see the possibilities that support the argument why images may be valid. Why would this not work in practice?
10 comments
[ 5.2 ms ] story [ 31.9 ms ] threadBoth cases seem worse than using a normal password or a more secure cryptographic key.
If you're going to change this up it would make more sense to move to a better protocol than "provide this fixed shared secret".
It's also useful to think about what the "root of trust" is in authentication flows. That is, the thing that can reset the password.
This might reasonably be email, an OIDC provider or a cloud account linked to your device vendor.
IMHO what would be really nice would be a decent ecosystem around WebAuthn. So ways to plug different providers into your browser / operating system. This would let you choose some combination of hardware keys, your preferred password manager or keys linked to your icloud/google account, for 1-click auth everywhere.
If it's more like a barcode or QR code (and JPEG resistant) that actually just encodes the real password, you're still relying on a camera, or the ability to copy-paste image data. This probably runs against the grain with what most users expect. I've never had to use an image file or webcam stream as a password before. I'd probably muddle through; but I'm not sure my mother would.
That said, I wouldn't mind more passwords and one-time-keys especially on printed materials coming as QR codes. Why do I need to type in a 24 character key from a gift card?