Why Password Protect Images?

Sometimes you need to share an image with specific people — not the entire internet. Password protection adds a gate: anyone with the link sees a lock screen instead of the image, and must enter the correct password to proceed.

Common scenarios:

  • Sharing private photos with family or friends via a link
  • Sending client mockups or design proofs that shouldn't be publicly visible
  • Distributing internal screenshots or documentation within a team
  • Protecting images posted in public forums where only certain members should access them

How to Set a Password

  1. Go to kinja-img.com and select your image
  2. Below the upload area, find the password field (labeled "Password (optional)")
  3. Type your chosen password
  4. Upload — the image is now password-protected

Share the viewer link as you normally would, and send the password separately (via a different channel for extra security — e.g., link via email, password via text message).

The password field is optional. If you leave it empty, the image is public as usual. You can also combine a password with an expiring link for double protection.

What Viewers See

When someone opens a password-protected image link, they see:

  1. A lock icon and "Password Protected" heading
  2. A password input field with an "Unlock" button
  3. After entering the correct password — the image loads normally with all viewer features (embed codes, QR code, image info)
  4. If they enter the wrong password — an error message appears and they can try again

After a successful unlock, a session cookie is set for 24 hours. This means the viewer won't need to re-enter the password if they revisit the same link within that period — they'll see the image immediately.

Security Details

Your password is never stored in plain text. Here's what happens behind the scenes:

  • The password is hashed with bcrypt (a one-way cryptographic hash) before being saved to disk
  • When a viewer enters a password, it's verified against the hash — the original password cannot be recovered
  • The session cookie contains a SHA-256 hash of the bcrypt hash, not the password itself
  • The image file itself is stored with an unguessable 20-character hex filename — the password protects the viewer page, while the filename protects the direct URL

This means even if someone somehow accesses the server's metadata files, they cannot reverse-engineer the password.

Tips for Strong Image Passwords

  • Use a passphrase — "blue-fish-sunset-42" is both strong and easy to communicate verbally
  • Don't reuse passwords — use a unique password for each image, especially for sensitive content
  • Send password separately — share the link via one channel (email) and the password via another (text/Slack) so both are needed
  • Combine with expiry — set a 1-hour or 24-hour expiry so the image auto-deletes even if the password is compromised
  • Use the delete link — save your delete token to manually remove the image once it's been viewed

Upload with Password Protection →