Shoulder Surfing — Possibility and Probability

Hitoshi Kokumai
2 min readSep 10, 2023

You are describing a bad password easily broken by simply observing which image you access”

This is a comment left on one of my recent posts written on the merits of image-based identity authentication. This is not an isolated case: I have heard similar ‘criticism’ from time to time over the two decades since I started to promote the image-based authentication.

Well, my response was — Are you imagining such a situation that you are so careless and reckless as to allow bad guys to take a video of your making the login? — No passwords can survive such a stupid situation.

Assume a solution that is effective in fending off the cyberattacks where people are careful about their security but fails to fend off the attacks where people are careless and reckless about their own security. Would you call it a failure?

The issue could be generalised as “That there is a theoretical possibility is one thing and that how probable it is in the real life is another”.

- Reference -

“Image-based Login Misunderstood by Developers Themselves” (5June2023)

“Non-Existent Crypto Keys to be Regenerated from Image Memory when Needed” (8Sep2023)



Hitoshi Kokumai

Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Inventor of Expanded Password System and Founder of Mnemonic Identity Solutions Limited in UK.