The Problem With Windows 8's Picture Password 206
alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."
Re:Another problem (Score:5, Informative)
Re:Passwords susceptible to surveillance, more at (Score:2, Informative)
http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx [msdn.com]
http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx [msdn.com]
Re:Another problem (Score:4, Informative)
Re:Passwords susceptible to surveillance, more at (Score:4, Informative)
What really makes that method bad (Score:4, Informative)
You remember the passwords of the old days that your users had? That were the names of their loved ones, their birthday or the ever popular "test", "password" and "12345"?
Guess what, they'll get a revival. For the same damn reason: People have no idea about security and they don't give a fuck about it. They prefer easy to remember passwords to secure ones. Just that with picture passwords, unlike standard typed ones, it's kinda hard to implement password security standards.
Why it's more insecure than typed passwords? Well, take your average photo. Now imagine what 4 points a person might be touching in it. Can you spot more than 6 "sensible" spots? People will choose points in the picture that stand out, and there won't be many more than 4-6 points that stand out. Unless some kind of 3-strikes-rule gets implemented (not bloody likely on a private computer, or even corporate computers after helpdesk had to reset the password for the n-th time because people failed to hit the right spot on their picture), it just takes rather few attempts at "connect-the-dots" before you find one that fits.
Re:Video?! (Score:5, Informative)
you must not use finger touch tablets very often.
I can always tell when someone plays a certian game on my phone, ipad, nook color. why? because the oils streaks have a pattern to them. certain games leave specific patterns. you may not know which is the begining. but if 1/3 the screen doesn't have any oil on it then those parts are ones you dont' have to think about.
Take a standard password of 12 keys. Now with a glance eliminate 75 out of 101 keys on the keyboard. It becomes a whole lot easier to brute force now.
Re:Video?! (Score:5, Informative)
The math used for comparison typically assumes that there are 10 points of interest in an image. Obviously there's a range depending on the image but most have at least 10. Just don't use Japan's flag as your image and you should be okay. Since lines are directional, when you say 6 likely candidates for lines, that works out to three points of interest: A->B, A->C, B->A, B->C, C->A, C->B. So that really isn't true at all.
The meaty bit at the end of their math is this: "Assuming the average image has 10 points of interest, and a gesture sequence length of 3, there are 8 million possible combinations, making the prospect of guessing the correct sequence within 5 tries fairly remote."
The table at the bottom is good to look through.
http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx [msdn.com]
Bottom line, for 3 gestures on a typical image, 8 million > [10,000 to 1,000,000] (possibilities for a 4 to 6-digit pin, the valid comparison for this)
Re:Video?! (Score:2, Informative)
without proof that most people will choose easy-to-guess gestures is just as fallacious as just giving the number of unique combinations
Considering the amount of evidence out there proving that, left to their own devices, a large majority of people already use easily guessable passwords (NYT [nytimes.com], 2011 Worst Password Study [mashable.com], and on, and on...), this isn't a stretch at all.
In fact, your non-logic deserves a spanking considering how easy a simple web-search is on this subject. Try a little harder next time.
Re:Video?! (Score:2, Informative)
i take it you haven't tilted your touchscreen to see the smooth path that is worn in at the most used points on the screen.
This is a problem with androids pattern lock and the screen protector film overlays.
Over time, the film develops a smoothness along the path where you're finger glides in order to trace out the lock pattern.
guessing someones lock pattern is simple as tilting the device to make light reflect in a way that reveals the differences in roughness on the screen protector film.
Re:Video?! (Score:5, Informative)
There is still the question of getting the swipes in the right order.
When I wrote a PictureLogin beta app for Palms (back in 2007; no, it's not prior art for the MS patent, as it was tap-only rather than swipe), I made PictureLogin act as a quick login screen, with an immediate fallback to the default passkey login if it failed. It would be very unlikely an attacker would get in on the first try, but it would allow users to have a very fast login with as few as two taps, or maybe even with only one if one was willing to take a risk. That would also help with the fingerprint problem. I think I was also thinking about some security-by-obscurity options, such as a user using some fake form as their PictureLogin image, so that someone who stole or found the device would not know that it's actually a PictureLogin login screen. You turn it on, and you see some normal Palm screen. You tap once or twice in the right place(s) and you're in, and you tap even once in the wrong place and fall back. I never got around to a full release of PictureLogin, though the code is open source.