The Problem With Windows 8's Picture Password

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

Video?!

[Anonymous Coward]

Just look at the greasy finger marks

Re:Video?!

[pclminion]

Right. Because other than logging in, nobody ever touches the screen of their touchscreen device. Furthermore, typing a password on a touchscreen keyboard doesn't leave smudges that could be seen by anyone... Come on dude.

I actually have a BUILD tablet (the ones MS handed out in September) and I use the picture login. It keeps the tablet private enough for my purposes. Of course, my password is to simply triple-tap on a particular spot on the image, so it doesn't leave a grease trail that stands out, particularly.

Re:Video?!

[hawguy]

Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

I'm not so sure I trust the math, since the math is only part of the equation. (no pun intended...well, maybe it was)

They claim that a 3 tap password has 2.7M combinations, but that's only true if each of the coordinates on the screen was equally likely to be tapped.

But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

Likewise, instead of a single line resulting in 1,949 unique gestures, in reality there are only 6 likely candidates. (and I bet most of the time if I draw the line from the face of the guy holding the dog's leash to the dog, then I'll have guessed correctly)

Sure, someone may decide to tap on the lower left corner of the blank wall to make their passcode more secure, but the average person will probably stick with the faces.

Re:How many memorable ways can one gesture a photo

[DanLake]

How the hell do you typo QWERTY?

Good question and thank you kind AC for pointing it out. I guess it happened because my fingers don't willingly type misspelled words and I type 'query' about a million times more often than I type qwerty.

Re:Video?!

[cbhacking]

The portion of the picture that is shown for Picture Password is cropped and moved around the screen, specifically to mitigate a "smudge attack".

Re:Video?!

[mysidia]

Its not about the probability of other fingerprints on the device - all you need is a fairly good idea of where someone has been tapping on a photo, and from the photo you will probably be able to guess which points they've used.

So don't just have them tap on parts of a photo. Present a display showing 255 photos, each arranged into a little icon. And ask the user to "touch" the right icon.

Once they've touched the first photo, show another display of 254 more photos, the photo they picked before can no longer be picked.

After the user's chosen four different photos, from four disjoint lists of 255 photos, show a fifth photo that is algorithmically derived from their previous two choices.

Their previous four choices combined with the points on the photo they select, form a password that is much more secure than what the average person uses and can remember as a password.

there were at least 255 * 254 * 253 * 252 (4 billion) possible choices of photos they can pick, if the order of selection matters, and then after you add the unique points they chose on the fifth photo.

You have a password that is much better than the person's daughter's name, or their middle name + phone number

Here is how you make it more secure

[DrXym]

1. Make the picture fairly small so people are not using pronounced movements to draw on it. i.e. don't fill the screen with the picture, use a part of it so the gestures are smaller.
2. Distort the picture, e.g. scale, rotate, shear and offset by some random percentage each time so even if you observe the gesture or the smears on screen you cannot exactly reproduce them the next time. Apply a transform to turn the gesture back into coords relative to the original picture.
3. Go one further and break the picture up into 8 or 9 pieces and while maintaining their relative position offset them from each other by some random spacing.
4. Don't let users pick the picture. Ship some interesting pictures with lots of points of interest to minimize the chances someone could guess them.
5. Provide a fallback mode that uses a password

All of these would help secure picture passwords and protect against snoopers.