Also a security tip, mosaic like he used in the picture is not a safe way to hide sensitive data, especially the one that has movement like in the gif where he is scrolling down, the mosaic changes and gives more data to reconstruct original. The safe way is to fully black out, but be wary of not plain color almost opaque marker tools, it could look like black out but playing with contrast will still reveal the data.
Reading the "Why is it bad for someone else to have your passport number?" is scary, especially since when traveling to countries like Spain and Italy, every Airbnb / Hotel requires you to send a picture of your passport. Japanese stores take your passport stamp picture for their tax-free, which contains the number on the page. Some embassies even take your passport for a few days before returning it with the visa.
Why do we treat passport numbers as passwords instead of a login?
creakingstairs · 9m ago
I once checked in at a pretty decent hotel in India and realised that they used re-used customers passport scans and invoices to print wifi coupons! I strongly complained but I don’t really know if they’ve changed.
Despite being from 2020, this vulnerability persists in 2025 with many airlines still exposing sensitive data on boarding passes and luggage tags, making "don't post your boarding pass" still relevant security advice.
bawolff · 2h ago
How sensitive is a passport number actually? At first glance it seems like it should be, but is it actually? I honestly don't know.
selcuka · 2h ago
Online systems sometimes use it as an indicator to prove your identity. When combined with other sensitive data it can be useful for an identity thief.
Look up Australia's 100 point proof of identity which is used by Gov and most corporate entities in Australia.
A passport is a primary document (equivalent to a birth certificate) and gives you 60-70 points. It can't be used alone, but in conjunction with another id (forged or stolen) would allow for identify theft.
Understanding that Australia doesn't have a Social Security ID (as the US does), might explain why passports play a similar role with respect to "proof of identity".
bigDinosaur · 49m ago
The Australian Tax File Number is presumably more similar to the Social Security ID? Millions of Australians don't have a passport. You don't need one for much - it's perhaps the easiest way of verifying citizenship if you already have one but not the only way.
SchemaLoad · 1h ago
Pretty sure you can use one to sign up for a phone number in Aus
soulofmischief · 1h ago
Wait hold on, you have to apply for phone numbers in Australia? You can't just grab a burner from Walmart?
SchemaLoad · 50m ago
Yes, every phone number gets linked to an ID. You can grab a sim from the supermarket but when you plug it in you've got to activate it which requires ID.
soulofmischief · 3m ago
I'm so sorry. Australia is such a draconian nanny state, hell-bent on surveillance and authoritarian control.
It always reminds me a lot of here in the US: Incredible land, a vast ecology, great history and subcultures, and some truly amazing people unfortunately drowned out by a staggeringly large population of loud morons who seem hellbent on voting in the worst possible people to run the whole thing, people who often couldn't care less about the things that make their country truly great, while leaning heavily on populism and deception as a means to retain power.
I wouldn't be surprised if the US eventually requires ID for phone numbers, either, the way things have been going.
dafelst · 1h ago
There is an example in the article
protocolture · 3h ago
I love this blog post. Its a classic.
imarkphillips · 37m ago
What a great story teller! Well done Alex.
coffeecoders · 2h ago
Love the humor. I am a fan of Alex's writing style!
LorenDB · 2h ago
It's a shame he apparently no longer blogs. His posts are gold.
ViscountPenguin · 2h ago
They/them based on their socials (and iirc, I think that's what they went by at Crikeycon) https://x.com/mangopdf
petesergeant · 2h ago
> Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime.
I will trust his lawyers are right _for Australia only_ (although I have my doubts, and would love to see their reasoning), but in the UK this feels like a clear breach of the Computer Misuse Act[0], and I can't recommend enough that you don't do this.
Really interesting, but the writing was so bad I had to bail out halfway through.
tomhow · 2h ago
> I had to bail out halfway through
Telling us you didn't read the article is exactly the kind of unsubstantive comment we don't want on HN. The comments thread is for people who did read the article and have something to say about the content.
This kind of comment breaks the guidelines particularly these ones:
Be kind. Don't be snarky. Converse curiously...
Don't be curmudgeonly. Thoughtful criticism is fine, but please don't be rigidly or generically negative.
Please don't fulminate. Please don't sneer....
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Please take a moment to remind yourself of the guidelines and make an effort to observe them in future.
I think it was all written for the thing it was trying to be. Which is a casual humorous take on the journey this person went through with a little tech education sprinkled in. Any more formal or sophisticated and it would've lost some of the casual humor and been less an interesting journey. But did so in a way much less aggravating than what qualifies for a food recipe these days.
causal · 3h ago
I enjoy the meandering style but it did become a little long because of the meandering, glad I skipped ahead instead of just closing tho
Why do we treat passport numbers as passwords instead of a login?
Finding a former Australian prime minister’s passport number on Instagram (2020) - https://news.ycombinator.com/item?id=34966909 - Feb 2023 (41 comments)
When you browse Instagram and find Tony Abbott's passport number - https://news.ycombinator.com/item?id=24488224 - Sept 2020 (340 comments)
Edit: The blog post also mentions this:
https://mango.pdf.zone/finding-former-australian-prime-minis...
A passport is a primary document (equivalent to a birth certificate) and gives you 60-70 points. It can't be used alone, but in conjunction with another id (forged or stolen) would allow for identify theft.
- https://www.myid.gov.au/verifying-your-id-in-myid#myid-Austr...
- https://www.afp.gov.au/sites/default/files/PDF/NPC-100PointC...
- https://www.equifax.com.au/personal/identity-verification-10...
The blog post has more use case examples:
https://mango.pdf.zone/finding-former-australian-prime-minis...
It always reminds me a lot of here in the US: Incredible land, a vast ecology, great history and subcultures, and some truly amazing people unfortunately drowned out by a staggeringly large population of loud morons who seem hellbent on voting in the worst possible people to run the whole thing, people who often couldn't care less about the things that make their country truly great, while leaning heavily on populism and deception as a means to retain power.
I wouldn't be surprised if the US eventually requires ID for phone numbers, either, the way things have been going.
I will trust his lawyers are right _for Australia only_ (although I have my doubts, and would love to see their reasoning), but in the UK this feels like a clear breach of the Computer Misuse Act[0], and I can't recommend enough that you don't do this.
0: https://www.legislation.gov.uk/ukpga/1990/18/section/1
Telling us you didn't read the article is exactly the kind of unsubstantive comment we don't want on HN. The comments thread is for people who did read the article and have something to say about the content.
This kind of comment breaks the guidelines particularly these ones:
Be kind. Don't be snarky. Converse curiously...
Don't be curmudgeonly. Thoughtful criticism is fine, but please don't be rigidly or generically negative.
Please don't fulminate. Please don't sneer....
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Please take a moment to remind yourself of the guidelines and make an effort to observe them in future.
https://news.ycombinator.com/newsguidelines.html