Windows 8's Picture Passwords Weaker Than Users Might Hope

colinneagle writes with word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws -- some of them specific to a password system based on gestures, and some analogous to weaknesses in conventional passwords entered by keyboard. "The research found that the strength of picture gesture password has a 'strong connection' to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 — 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is 'capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.'"

Re:

[Jeremiah Cornelius]

That's why I bought a Saturn.

Yeah, but Microsoft has Uranus.

Re:

[Anonymous Coward]

That's why the one finger salute isn't a good picture password any longer since it became the popular reaction after trying to use Win8.

Re:

[roc97007]

The NSA doesn't need to.

Boop!

[Anonymous Coward]

Apparently circling the guy's bald head, and booping the girls on the noses is the 12345 of picture password gestures.

Re:

[RaceProUK]

Allow me to be the first - it boots up really quickly ;)

Re:

[chuckinator]

I don't understand why a bunch of Fisher-Price crap belongs on a computer in the first place unless you've got a 3 year old. I would still keep the access controls locked down to an adult level.

Not good idea to use passwords a monkey can enter

[JoeyRox]

Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

Re:Not good idea to use passwords a monkey can ent

[Jeremiah Cornelius]

Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

Windows 8?

Who DOESN'T throw their feces at the screen?

Re:Not good idea to use passwords a monkey can ent

[roc97007]

My boss hates it when we do that.

Re:

[Jeremiah Cornelius]

My boss hates it when we do that.

You STILL workin' for Ballmer!??!

Re: Not good idea to use passwords a monkey can en

[jd2112]

You misunderstand. Ballmer is the monkey.

Re:

[JasterBobaMereel]

Obligatory xkcd "https://xkcd.com/936/"

It was never intended to be super strong

[Barlo_Mung_42]

There is also an option to log in with a pin like on a phone. Both are meant there for convenience, not to be a strong lock. In order to take advantage of either an attacker would need physical access.

Re:It was never intended to be super strong

[HideyoshiJP]

Exactly this. Passwords like picture and PIN passwords are meant to keep your kids from installing software and/or getting to your porn collection/browser history. These types of passwords aren't exactly meant to keep you safe from more nefarious individuals.

Re:

[Xicor]

the objective of a bios password is to keep someone from accessing the bios. if you want to keep someone off your computer, you encrypt your hard drive

Re:

[Demonantis]

Bios passwords reset if you short out pins on the mobo. That is what he was trying to say. Physical access means your are screwed even if you encrypt since a keylogger could be installed. Or near by access where they can pull the key strokes from the air. [theregister.co.uk]

Re:

[jones_supa]

BIOS password would still improve security. It would take more time for the attacker to open the case, find the location of the reset pins and then reset the CMOS settings and close the case. If the attacker is only after the low-hanging fruit, he might not bother to even do open the machine and go away. Or maybe the attacker does not even know that you could reset the p/w by shorting out a couple of pins.

So, even if some security feature isn't perfect, it might add some extra obstacles to the attacker, whi

Re:

[Xicor]

if you REALLY want to protect something, nest encrypted drives inside other encrypted drives.

Re:

[f3rret]

BIOS password would still improve security. It would take more time for the attacker to open the case, find the location of the reset pins and then reset the CMOS settings and close the case. If the attacker is only after the low-hanging fruit, he might not bother to even do open the machine and go away. Or maybe the attacker does not even know that you could reset the p/w by shorting out a couple of pins.

So, even if some security feature isn't perfect, it might add some extra obstacles to the attacker, which is a still good thing.

You don't really need to find the CMOS reset jumper, just yank the battery from the mobo and the thing will reset as well. Sure, the computer will throw up a warning next time you boot it, but many computers will do that too if you reset the BIOS via the switch.

Re:

[jones_supa]

Pah, amateurs! At least enable NAT, which is a synonym to "ultimate firewall". To remove the last doubt of security, hide your WiFi SSID, which means your network is completely cloaked like a stealth fighter.

Re:

[lxs]

In the future please write that as PIN.
I spent five minutes wondering how you log in by sticking a pin in a phone and why that would be the secure option.

Re:

[Anonymous Coward]

Five minutes huh? Are you retarded?

Re:

[NotQuiteReal]

Maybe he started with a long-ish pin... and stuck it in his ear.

Re:

[Barlo_Mung_42]

You threaten the person with the pin until they enter their PIN.

Re:

[cheater512]

It is a important distinction to make.

Some security researchers awhile ago did break in to a secure door lock with just a pin (not PIN) poked through a LED.
Do it properly and you short two contacts which unlock the door without the correct PIN.

Re:

[Anonymous Coward]

Also, you only get 3 chances before you need to use the real password.

Re:

[RaceProUK]

Not everyone requires enterprise-grade security. Sometimes all you need is enough to deter people, and these 'picture passwords' fit that requirement nicely.

another poor article

[Anonymous Coward]

The technology is not weaker at all. It simply suffers the same problem as all user generated input, users pick simple passwords, simple passwords can be hacked. Those that think a bit and create a complex picture password actually have a significantly more secure local authentication system.

psychology too

[holophrastic]

Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."

Uhuh.

Re:

[Em Adespoton]

Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."

Uhuh.

I like picture passwords... they let me provide a distraction while I write "12345" on the trackpad, irrespective of the image displayed. Of course, the benefit of this would be gone if everyone started doing it; but the security is roughly similar to entering a password with a keyboard (as long as you pick a strong one).

Re:

[holophrastic]

Nice; I approve.

Re:

[LordLimecat]

but the security is roughly similar to entering a password with a keyboard

Not really, but its good to see security theatre is alive and well.

Well

[Lirodon]

As a joke while testing one of the betas, I tried to see if I could beat my friend's picture password. Somehow I got it on the first try.

Re:

[denzacar]

It's usually the parts of the screen with all the smudges and fingerprints.

multiple-picture sequence security

[dbIII]

Are Microsoft future proofing against a collapse of the US education system or something?

Swipe passwords are weak

[LoRdTAW]

When I received my first Android phone some years back I used the screen lock which uses the 3x3 pattern of circles or dots and a swipe pattern. It didn't take long for me to realize that when you swipe the screen you leave behind a big smudged trail of finger grease across the screen. If you hold the phone sideways in the light or use a bright flashlight, the smudged grease trail completely gives your swipe password away including the beginning and end. The start of the trail is a big blotch while the tail end is faded as you lift your finger. Now this trail can be wiped off purposefully by the user or accidentally by means of placing it in a pocket/purse where the users body movement jostles the phone around polishing the screen clean. But if you leave your phone out or store it in such a way that the screen does not get cleaned by clothing or purse then you're in trouble.

I have unlocked a few of my friends phones using my little LED flashlight I carry as a party trick and they were stunned. Most of them had very simple patterns requiring little effort. Even my swipe password is weak but using all nine dots in an obscure manner is difficult or clumsy.

I would imagine the Windows 8 picture touch password suffers the same problem as you can look at the screen and see where it was touched and guess the pattern.