Windows 8 Picture Passwords Easily Cracked?
Windows 8 and Windows RT come with a feature called Picture Passwords. Users can choose any picture, and then “annotate” it with three finger movements: tapping a point, drawing a stroke, or sweeping a circle. This pattern becomes a users’ means to open or unlock a device as an alternative to a text password or PIN unlock code. The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.
Tap, tap, pinto, stroke. Hack?
Four security researchers from Arizona State University and Delaware State University tried to measure the safety of picture passwords in a research paper, titled On the Security of Picture Gesture Authentication (PDF). The paper was presented at last month’s USENIX Security Symposium (summary and video here).
Too easily guessed, say researchers
Microsoft’s own paper on the design, implementation and likely strength of picture passwords estimates that there are just over 1.155 billion possible picture passwords if three gestures are used. That sounds like a lot, but is “only about four times as many as there are six-character passwords using the characters A to Z,” says security watcher Paul Ducklin. “No-one is seriously suggesting six-character, letters-only passwords these days,” he notes in a post on Sophos’s Naked Security blog.
The research paper suggests that Microsoft implement a picture-password-strength meter, similar to systems that prevent people from choosing weak text-based passwords. It also suggests that Microsoft integrate the researchers’ PGA attack framework to inform users of the potential number of guesses it would take to access their system.
Continue reading at The Register