Entropy of Image-based Password
I wrote “The entropy of a combination of several images against automated brute force attacks? — It can easily exceed a million bits” in my previous post “Hypothesis? — Yes, it was Hypothesis Two Decades Ago”
I hear some people are suspicious of that figure. Let me try a simple calculation to prove that it is not an overstatement.
A pixel usually requires 24 bits for full-colour rendering, which means that 50,000 pixels would get us to a 1.2 million bits. Assume that a credential is made from a combination of 5 images, an image needs to be 10,000 pixel (100x100) for achieving 1.2m bits, that is, 100x100x24x5 makes 1,200,000
Should we put a 1,000 x 1,000 image behind a 100 x 100 sumnail, the entropy of the combination of 5 images would be 120 million bits (1000x1000x24x5) . Moreover, we could put any larger unique random data (giga, tera and so on) behind the sumnails that citizens need to identify. The burden on citizens will remain that of locating 5 images.
Well, this feature is common to all the grid-formed picture passwords, not unique just to our proposition. What makes our solution unique is that we enable and encourage citizens to make use of their non-volatile episodic image memory, say, images linked to their emotion-coloured personal experiences, making it possible to reliably get secret credentials generated and regenerated on-the-fly. . The burden on citizens will be that of locating 5 UNFORGETTABLE images embedded in decoy images.
By the way, while it’s the text-only password system that frustrates people intolerably, some people apparently love to turn it into the frustration over the password as a whole.
It’s really queer. If we dislike the password, we would naturally dislike the text-only password that is a part of the password. Can the reverse be valid?
Should you dislike an old male lion, would you automatically dislike the whole cat family with new born cubs included? Is a subordinate category interchangeable with a superordinate category?
