Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Input Devices Security IT

Windows 8's Picture Passwords Weaker Than Users Might Hope 51

Posted by timothy
from the they-look-fine-at-fort-meade dept.
colinneagle writes with word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws -- some of them specific to a password system based on gestures, and some analogous to weaknesses in conventional passwords entered by keyboard. "The research found that the strength of picture gesture password has a 'strong connection' to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 — 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is 'capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.'"
This discussion has been archived. No new comments can be posted.

Windows 8's Picture Passwords Weaker Than Users Might Hope

Comments Filter:
  • Boop! (Score:3, Funny)

    by Anonymous Coward on Thursday September 05, 2013 @05:56PM (#44769681)

    Apparently circling the guy's bald head, and booping the girls on the noses is the 12345 of picture password gestures.

  • by JoeyRox (2711699) on Thursday September 05, 2013 @06:00PM (#44769717)
    Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.
  • by Barlo_Mung_42 (411228) on Thursday September 05, 2013 @06:07PM (#44769795) Homepage

    There is also an option to log in with a pin like on a phone. Both are meant there for convenience, not to be a strong lock. In order to take advantage of either an attacker would need physical access.

    • by HideyoshiJP (1392619) on Thursday September 05, 2013 @06:23PM (#44769923)
      Exactly this. Passwords like picture and PIN passwords are meant to keep your kids from installing software and/or getting to your porn collection/browser history. These types of passwords aren't exactly meant to keep you safe from more nefarious individuals.
    • by lxs (131946)

      In the future please write that as PIN.
      I spent five minutes wondering how you log in by sticking a pin in a phone and why that would be the secure option.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Five minutes huh? Are you retarded?

      • You threaten the person with the pin until they enter their PIN.

      • It is a important distinction to make.

        Some security researchers awhile ago did break in to a secure door lock with just a pin (not PIN) poked through a LED.
        Do it properly and you short two contacts which unlock the door without the correct PIN.

    • by Anonymous Coward

      Also, you only get 3 chances before you need to use the real password.

  • by Anonymous Coward
    The technology is not weaker at all. It simply suffers the same problem as all user generated input, users pick simple passwords, simple passwords can be hacked. Those that think a bit and create a complex picture password actually have a significantly more secure local authentication system.
  • by holophrastic (221104) on Thursday September 05, 2013 @07:28PM (#44770385)

    Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

    Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."


    • Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

      Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."


      I like picture passwords... they let me provide a distraction while I write "12345" on the trackpad, irrespective of the image displayed. Of course, the benefit of this would be gone if everyone started doing it; but the security is roughly similar to entering a password with a keyboard (as long as you pick a strong one).

  • by Lirodon (2847623)
    As a joke while testing one of the betas, I tried to see if I could beat my friend's picture password. Somehow I got it on the first try.
  • Are Microsoft future proofing against a collapse of the US education system or something?
  • by LoRdTAW (99712) on Friday September 06, 2013 @07:58AM (#44773471)

    When I received my first Android phone some years back I used the screen lock which uses the 3x3 pattern of circles or dots and a swipe pattern. It didn't take long for me to realize that when you swipe the screen you leave behind a big smudged trail of finger grease across the screen. If you hold the phone sideways in the light or use a bright flashlight, the smudged grease trail completely gives your swipe password away including the beginning and end. The start of the trail is a big blotch while the tail end is faded as you lift your finger. Now this trail can be wiped off purposefully by the user or accidentally by means of placing it in a pocket/purse where the users body movement jostles the phone around polishing the screen clean. But if you leave your phone out or store it in such a way that the screen does not get cleaned by clothing or purse then you're in trouble.

    I have unlocked a few of my friends phones using my little LED flashlight I carry as a party trick and they were stunned. Most of them had very simple patterns requiring little effort. Even my swipe password is weak but using all nine dots in an obscure manner is difficult or clumsy.

    I would imagine the Windows 8 picture touch password suffers the same problem as you can look at the screen and see where it was touched and guess the pattern.

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"