An illustrated tour of my SiteKey secret images

Posted on July 20, 2015

Somehow, and I know this is hard to believe, my exposé of SiteKey’s failings six years ago wasn’t the final stake through its heart like I had hoped. SiteKey is still very much alive and just as useless as ever.

I hate it, and I hate putting up with their useless security theater1. But there is one bright spot: most Sitekey installations can be coaxed into giving you some gloriously weird pictures as your “secret image”. And if your institution makes use of the even-less-justifiable feature of setting a caption for your secret image, you can pair your bizarre image with an equally fitting caption. Your secret image is still useless as far as protecting your account, but at least it will make you smile.

Certainly I am taking a grave risk2 in sharing this private information with you. But the world needs to know. I present to you the various SiteKey images and captions I have used over the years:

Jokes

Jokes

Pop culture references

Pop culture references

Sometimes it’s nice to just be literal.

Sometimes it’s nice to just be literal.

How could you not pick this?

How could you not pick this?

I never found an answer to my question.

I never found an answer to my question.3

The trick to getting these sort of results for yourself is simple. Most SiteKey systems offer you the ability to page through sets of images as you’re picking. But with a sort of adorable dedication to detail in their ultimately useless system, these are not discrete pages from a limited set of images. Each “page” is actually a randomized set pulled from some vast store of stock photos. So you can click the next page button as many times as you like4, giving you access to a virtually-unlimited set of images. With this much choice, it’s only a matter of time before some strange results appear.

For the caption, though, you’re on your own.

  1. Anyone else think that the TSA’s expansion of Pre-Check is really just a way to phase out all their failed policies without ever admitting that any of it was a mistake?

  2. I estimate that the security impact of making my secret images public reduces SiteKey’s effectiveness by roughly 50%, from an original value of 0% protection to a new value of 0% protection.

  3. For some inexplicable reason, ING Direct implemented a very strict profanity filter on the secret caption. I could never figure that one out. It’s a secret phrase, right? Are they worried about my past self offending my future self?

  4. I did encounter one SiteKey system that limited the number of available pages. However, this was merely a front-end constraint, and with a little bit of JavaScript tinkering I was able to generate new requests that the back-end happily fulfilled with more images.