News & Analysis

Are image passwords the solution to our password problems? Aussie teen entrepreneur thinks so.

- August 12, 2014 4 MIN READ

It’s 2014, and we all know that as technology advances, so too does crime. But one thing hasn’t changed – our passwords. SplashData’s researchers found ‘123456’ to be the most common password for 2013, followed by ‘password’, ‘12345678’, ‘qwerty’ and ‘abc123’.

Before you facepalm in shame, let’s not forget that we live in a culture of convenience. So when it comes to passwords, there are really only two obvious options: pick a complex password that you’ll hardly remember or pick one so easy that hackers won’t even need to flex a brain muscle. There’s probably a middle ground, but not many people like treading the grey area.

As it turns out, there’s a third option: image passwords. And the man behind it is 18-year-old Aussie entrepreneur, Sam Crowther. Rather than having to remember dozens of complex passwords, Crowther thought ‘why not just use images instead?’  

Given how accustomed we’ve become to taking photos of everything with our smartphones, it makes sense to use images rather than characters for our passwords. Crowther’s startup uSig will allow us to do just that when it launches later in the year.

He unveiled his solution at PasswordsCon in Las Vegas last week, and received encouraging feedback from some of the world’s most renowned experts in passwords and password-cracking. In fact, he was the first Australian and 18-year-old to be invited to speak at the prestigious conference.

But when CNN Money picked up Crowther’s story last week, ‘armchair experts’ were quick to set the comments section ablaze with criticism. People were sharing their doubts about the security of using an image stored on a smartphone, as well as password resetting procedures. But Crowther told Startup Daily last week that these sceptics don’t yet understand the technology.

uSig allows the user to select a photo on their smartphone as their password to a service – whether it be Facebook or a bank application. The technology then converts that image into an incredibly long password – longer than what average minds would be able to remember. In fact, it’s about 512 characters long.

Crowther said that there’s two things that a password’s strength depends on two things – length and randomness. An image fulfils both criteria.

“Photographs are one of the greatest sources of entropy in the world. You can take two photographs milliseconds apart, but at a code level it will be completely different to each other. It’s very difficult to guess them,” Crowther said.

But what does an 18-year-old know, right? Wrong. Although Crowther started off as a programmer, he moved into information security at a young age. Whilst in 11th grade, Crowther did work experience at the Australian government’s Defence Signals Directorate. After graduating from high school, he did security consulting for BAE Systems Applied Intelligence. Having deferred university, Crowther now works in the information security department of an unnamed global financial institution, whilst building his own startup. Crowther may just be a teen, but upon speaking to him it’s clear he knows what he’s talking about.

According to CNN Money, Per Thorsheim, the Norwegian cybersecurity consultant who organised PasswordsCon, said Crowther’s idea is unproven, but shows promise. In the article’s comments section, sceptics are uncomfortable with the idea of using an image that is stored on the phone – which means the password is stored on the phone.

But Crowther clarifies that users get three attempts to guess the image. If all attempts fail, the user will be locked out of the account. Even if someone steals the smartphone, it will be difficult for them to guess which image has been used as the password. In the rare case that users don’t have hundreds of images stored on their smartphones, uSig will make it mandatory to have a two-digit pin along with the image password.

But if the user has hundreds of images in their phone gallery, wouldn’t it be difficult to guess which image they used as the password? Crowther said this is unlikely.

“What actually starts to happen is every time you take new photos, the position of the image password changes slightly, but only slightly. You actually adapt to that position change and it’s very easy to scroll up and click the right photo. As well as that, you know what photo you’re looking for, so as you scroll, you notice it easily,” he explained.

This means that keylogging software (malware) that spies on users won’t be able to uncover passwords very easily because the position of the image keeps changing.

If the user happens to delete the photo without changing their password first, they’ll be able to reset it. And in order to do that, they will undergo a verification process.

“It’s not the same as a regular password reset. We go through more steps to ensure the person is who they say they are,” Crowther said.

As well as that, uSig take steps to ensure the highest level of security around photographs. For example, all photographs are associated with the device that it’s stored on. Even if someone manages to steal all the data off it and move it onto a new device, the uSig program will detect that this is coming off an unknown device and block the connection right away.

When logging into a partnered service, uSig takes the user to their local image gallery, rather than extracting the images and storing the passwords inside the technology. Crowther explained, “We don’t want people’s photos leaving their phones. We decided that we want the photos to stay locally, so we don’t store them anywhere. They never actually leave the phone.”

The startup is currently in the process of securing partnerships with various companies, though no names were mentioned. Their technology will hopefully be implemented into multiple prominent applications by the end of this year. Crowther also said that after establishing uSig’s compatibility with smartphones, they’ll be developing the technology so that it can be used on laptops.

More information on uSig is available via usig-passwords.com.

Image: Sam Crowther. Source: News Corp.