Slashdot Mirror
The Problem With Windows 8's Picture Password
alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."
Just look at the greasy finger marks
...which are obviously not prone to being videotaped, like passwords typed into a keyboard, 2 factor tokens that cannot be stolen, smart cards with super hard to guess 4 digit PINs, etc.
Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.
Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.
Another problem is that it's trivial to lock someone out by intentionally missing the password more than the allowed number of times.
The lock on your diary offers little protection from a skilled locksmith most can be opened with a simple bent piece of metal.
If you have someone following you around with cameras trying to capture your login info to use later when they have physical access to your machine a traditional password probably isn’t going to cut it either. This provides the same kind of “guy walking by” protection as traditional passwords do. Ok, maybe less.. but still. Maybe this will actually push people towards more secure auth for serious things by highlighting how insecure a basic password is.
All that said, I think it’s a pretty stupid feature ;p
Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.
The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.
Nuff said.
What would Brian Boitano do?
A camera can also record someone typing in an alphanumerical password as well, so the same argument applies there. No, the main problem with any authentication system that doesn't require you to lift your finger from the screen is that if the owner of the phone is like most people, they'll probably leave a nice greasy streak right from start to finish. Or the other way around, not like it costs much to check...
I could unlock my friend's Android phone just by studying the smudge patterns on the touchscreen. I imagine this would be just as easy.
Keyboard keystrokes aren't just as easy to record?
Hence, RSA tokens + passwords (something you have + something you know)
Smart cards + biometrics (not perfect, but something you have + something you are)
Or even all three, for the truly paraniod (smart card + biometric scan + password)
Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.
What next, DNA + mind scan + a password > 512 bytes?
Here are the links to the relevant Microsoft blog posts:
http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx
http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx
Just look at the smudge pattern from the oils your fingers leave behind. Then you will see *exactly* where they were dragging their finger around to log in.
I have to wipe my Android phone down every five minutes because I have oily skin.
But what if somebody used goatse for their picture password? Would you touch it? If so, where?
C|N>K
For only $99.95, you can buy our three factor authentication software for one year! That's right, keep criminals from stealing your digital camera pictures of your cat for a nominal fee! I'm willing to bet this picture security is no less secure than typing on a keyboard that's visible on the screen and combining it with the screen smudges. Domains probably won't use this authentication anyway, or at least it'll be optional.
So QUERTY becomes "Head, Shoulders, Knees and Toes". I'm guessing in many cases that the picture itself would suggest how it was to be interacted with.
"Good" is in this case equivocal. Are picture passwords highly secure? Probably not. SO they aren't very good in that sense. Are they easy to use and secure enough for most purposes? Yes, making them extremely good for the average user. Which makes them better security in many ways than multi-factor authentication, which would be absurd for a tablet device that isn't carrying top-secret documents. As people have pointed out many times, complex security often ends up being less secure, as the user has to find ways of remembering long passwords, gets sick of the wasted time and just used "1234" for the both of the redundant passwords, or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Has he even tried this? I can't reliably login using the picture password setting, and I'm the one that set up the "password". I'm not convinced a video recording would suffice. I could, just as easily, video record your keyboard from a distance, but that's not going to net you my password very reliably either. Not unless you're a chicken pecker.
Joseph Elwell.
You remember the passwords of the old days that your users had? That were the names of their loved ones, their birthday or the ever popular "test", "password" and "12345"?
Guess what, they'll get a revival. For the same damn reason: People have no idea about security and they don't give a fuck about it. They prefer easy to remember passwords to secure ones. Just that with picture passwords, unlike standard typed ones, it's kinda hard to implement password security standards.
Why it's more insecure than typed passwords? Well, take your average photo. Now imagine what 4 points a person might be touching in it. Can you spot more than 6 "sensible" spots? People will choose points in the picture that stand out, and there won't be many more than 4-6 points that stand out. Unless some kind of 3-strikes-rule gets implemented (not bloody likely on a private computer, or even corporate computers after helpdesk had to reset the password for the n-th time because people failed to hit the right spot on their picture), it just takes rather few attempts at "connect-the-dots" before you find one that fits.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How the hell do you typo QWERTY?
I have heard about "image" password that sound like they could work.
Your password could be "car" and "Flower". You would be presented with a "random" photo that had lots of things in it - but only a single car and flower. Humans can pick out the car and flower easily - even when presented with a new photo. Harder to automaticly hack.
Of course it's not foolproof. For that I give you xkcd.
http://xkcd.com/538/
What makes me worry about Win8 is them pressing hard to merge Win8 with their next console OS. I sincerely hope this will not be pulled through. It's already bad enough that you need a Windows Live account for more and more games you try to play on your PC, but pretty much being forced to have one gets kinda ridiculous.
And I fully expect that to happen. I just got a Windows OS based cellphone at work (not my choice, mind you...). No Zune account, no system update. Think it will be different with Win8?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Am I the only one that has seen the film adaptation of Johnny Mnemonic? Only government-sponsored dolphins will be able to crack into Windows 8 with this enabled!
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
To be fair he *is* an expert in poor security.
Of course, by simply running a utility off of a boot CD, such as Hiren's, you can delete the SAM file which stores Windows passwords. Can be done in just a couple minutes, and it works every time (all right, I have seen it fail - once).
Have the picture move to different locations on the screen randomly, while also stretching and shrinking. This way no one can discern repeated heavy smudging on the screen, although on a touchscreen device the password smudges might get lost in the normal use gestures.
But having the picture scale to different sizes and move itself about the screen at each individual login should increase security.
One of these is not like the other.
Anons need not reply. Questions end with a question mark.
I do not use a QWERTY keyboard, you insensitive clod!
Score: i, Imaginary
I'm sure it'll keep young children out, and keep the prankster in your dorm from loading up your computer with gay porn.
No, I will not work for your startup
Lame - most people click on same things; years ago somebody did this on a website along with stats on the clicks and you could easily see that people picked the same stuff just like they do with passwords... except passwords are far more flexible than a few x/y coordinates.. sure you could save a ton of them trying to make a simple signature which would help greatly but it wouldn't be any greater than a signature, which is something that doesn't compare to a decent password.
I'm sure we will hear of people having to calibrate their touch screens, wash their hands, configure a new touch screen, or leave wear marks on their login screen. At least with a keyboard you touch it to use it for a lot of purposes besides login and because its a simple array of buttons there is less to go wrong or configure (try configuring something when you can't login.)
Democracy Now! - uncensored, anti-establishment news
Because I get aoeu when I type ASDF.
In Soviet Russia, articles before post read *you*!
Keep the device in a time-lock safe, requiring that you and a trusted individual both turn your keys at the same time, and then you both enter your combinations. Awww fuckit. Nuke from orbit.
or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).
To be fair, UAC was probably the most annoying security feature I have used in the modern era. I don't know if the threshold is just set ridiculously low, or what, but with UAC on you can hardly do a fucking thing without a window popping up asking if you would like to allow the program to run.
Do we expect anything else from them? Nothing new to see here, but it is always refreshing to see the M$ Fanboys come out and say "really, it's the bestest thing ever!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If youre not confortable with all this, you can place a keyboard photo and "type" a password.
while we're on the subject, can we all agree that mandatory obscured password fields are a relic of antiquated thinking? Look, I get it...someone might look over my shoulder. But in reality nobody is. My work monitor faces a wall, my home PC's are...well, in my home, my smartphone is barely able to be read at my own arms length...frankly, it's the very unusual scenario where I have even the slightest concern of someone seeing me type a password. And yet at least a dozen times a day (no exaggeration) I'm forced to retype a failed login attempt because my company security policy requires 12 digit alphanumeric mixed case no dictionary word passwords. Would it really be so tragic if I were allowed to watch myself type a password?
Use a picture of a keypad.
Because the Android "connect the dots" is so much better. Not to mention using a standard 10 key on iPhone. At least somebody is trying.
How the hell do you typo QWERTY?
Good question and thank you kind AC for pointing it out. I guess it happened because my fingers don't willingly type misspelled words and I type 'query' about a million times more often than I type qwerty.
How the hell do you typo QWERTY?
ASDFG
Knowledge is power. Knowledge shared is power lost.
That could work if you had pictures with multiple objects. Something like cat-ball-car ... But you would need some crowd sourcing to generate the data. Or use something like Settlers of Cattan pieces, or Magic the Gathering cards. Click 3 roads or 5 mana symbols.
Bonus points if you built a modular system.. So people can make their own image packs... Allowing for more "inside jokes".
Next year what will we have? "Think of a word *scanned and recorded*, now think of a picture *scanned and recorded* now give us a skin sample *scanned and recorded* now enter a 755 digit password (note this password can contain any character and your smart phone will give you them all, from wingdings to hieroglyphics)" Then after all that anyone who wants to get your birthday pictures and home porno just has to grab your phone while your using it.
But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.
In that case... don't choose an photo of 2 people and a dog.
What you're saying is "This system has very poor security, if they choose the pictures poorly and each picture has very few probable combinations". Pretty obvious answer is: Don't choose such pictures. I'd guess that before they choose a picture for this purpose, they do some testing on what kind of patterns people use and discard the pictures where there is too little distribution. Of course, users may always use the most obvious pattern and they might be able to choose a picture themselves and use too simple picture... but users can also choose very stupid passwords.
Wouldn't it be prudent for the inventor of "RSA's SecurID token" to say that basically any security system other than his is ineffective?
And here I thought the major problem would be "I'll feel stupid using it." ;)
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
The math at this MS blog post has a few holes.
Minor: n! / (n-2)! is used instead of the simpler, equivalent n*(n-1). The number of passwords of length 2 in their calculation is actually defined (since 0! = 1 by convention); it should say 1040 instead of n/a. The circle-related calculation (95 - 5 + 1)^2 ... is oversimplified: for instance, a circle of radius 25 cannot have center (5, 5). The necessary modification is tedious, though, and not very significant. Tap reduction calculations are similarly oversimplified.
More serious: I'm unable to determine how the "# of taps" table was generated. The first entry, 270, is approximately 10,000/(3+5+7+7+7+5+3), which makes sense--it uses a 100x100 grid where taps are allowed to be off by a few squares. If subsequent taps are independent, the remaining entries in the table should be approximately 270^n. Instead, the ratio between entries varies between 65 and 101 (non-monotonically, even). The # lines and # circles tables are similarly unclear to me.
The number of unique lines count, 1949, is low, assuming the tap gesture recognition is used independently on each line endpoint. There are about 270 distinct grid positions, leading to about 270^2 = 72900 directed lines (alternatively, (100^2)^2 / 37^2 ~= 73000). Removing lines of length less than 5 is negligible.
I am unable to compute more than the first entry in the "multi-gesture picture password" column. As they say, this should be computed by "summing up the unique gestures for all three gesture types for the specific gesture length n and raise [sic] it to the nth power". The entries should just be 2554^n given the previous data, but they're not--they're significantly smaller.
At least all the holes underestimate the number of distinct gestures in cases I'm able to calculate, though without details on the circle and line recognition systems I can't independently calculate those figures. Everything I didn't mention was correct.
Your biometrics are mandatory and will appear on facebook or on the FBI most wanted list *eek*
All cows eat grass!
http://cs.dartmouth.edu/~averyyen/CCP/project.pdf
But seriously, wouldn't anyone actually coding this system up for production use quickly realize that some points in a picture are going to be chosen more often than others?
coding is life
And that photo of Felicia Day the Slashdotter was using as his security picture? Eleven out of ten security specialists guessed two points on the touch screen in less than a second.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
where to goo from here .... ....
* In case u lost password.
* Or the OS goffed up with some issue which is more likely ....how to get back
* In case some Crackers got in they can replace the Image.
* two users using same Image?
Touching points on a picture of a keypad in a certain order and touching points on a picture of something else in a particular order.
Well it's better than a regular password, since it can be keylogged. A touch screen can't be keylogged unless it has reactive touching (eg mouse cursors or "pressed" ripples) and is being screencapped at the time.
There are worse. Most anyone that works in a call center has their passwords keylogged or screencapped from the QA teams, this results in the obvious implication that passwords are very insecure and should not be used to login to locally stored or accessed applications including the computer itself. But it gets stranger if you do have a touch system in place. As mentioned in other comments, the finger grease is the largest hole, forget video cameras (though those also exist as well. But you can just as easily video record someone typing.
Look at people who swipe PIN's from ATM's. If it was simply a touch screen swipe, you have a problem. Now how do you fix it?
- Touch screens need to be polarized so that the picture can't be seen from observers
- The pictures used must cycle so that the same picture isn't used more than once in the same day, preferably not used more than once in the same month. Pictures of family or pets work best, because they aren't as easy to forget. Users can use a mnemonic like "ordered by age" or "ordered by height" or other personal details that work common to all the pictures that outsiders won't know without social engineering but work equally on pictures with missing people/pets.
Just using letters and digits, those 8 million combinations are roughly equal to a 4 character password (~2 million combinations, or ~15 million combinations if you also allow caps).
So it would be 3 drags vs. 4 taps (on a keyboard)... wooptidoo.
Security risks are never 100% prevented, it is all about risk mitigation. This is better as a user experience than password complexity rules that cause a user to right down his password on a sheet of paper. For the majority of regular users, nobody is going to go through the expense and trouble of these paranoid scenarios that security solutions companies try to convince you are an imminent threat. The more likely threat is what I call the 'gun to the head attack'. In all instances it is cheaper and easier to use the threat of physical violence to gain access. And nothing protects against that really. Moral of the story, do not keep sensitive data on an end point device.
All of these would help secure picture passwords and protect against snoopers.
He is typing on dvorak.
Brilliant - it has the advantage of scaling for more security
Head, Shoulders, Knees and Toes
for a bit more security you just add
Head, Shoulders, Knees and Toes, Knees and Toes
then, for your bank account:
Head, Shoulders, Knees and Toes, Knees and Toes and Eyes and Ears and Mouth and Nose, Head, Shouders, Knees and Toes
Warning, incoming maths.
Say you've a face photo, that's got 6 possible active areas (eyes, nose, mouth, ears). Four taps would mean 216 combinations. Not amazing.
However what if you allowed multiple gestures? If you, for example, forced every tap two be a swipe between two of the possible areas that changes a 1/6 chance of getting it to a 1/30 chance (1 in 6 of getting the start, 1 in 5 of the finish). Add that to the taps, that's a 1/36, add a circle around an area, 1 in 42 (there are probably other motions you can do but I'll leave it at that.
That means, provided a user doesn't stick to taps, you've odds of 1 in 3111696 of randomly guessing how a face was interacted with in 4 motions. Compared to 1 in 9999 for a pin
It's less prone to shoulder search too. It's far easier to see and remember '1823' than 'circle around left eye, nose to right ear, left ear to mouth, tap right eye', the smudges and fingerprints on the screen are harder to understand too.
Honestly, I have seen more than few of my friends using android phone enter the grid swipe only once... and I think still remember every single one of them. I myself use the grid swipe too, but I also enter the PIN for my SIM card when I boot the device up. I consider the swipe the grid to be more of a "keypad lock" function than anything even resembling actual security from data confidentiality standpoint.
If I ever use my android device to hold anything really confidential (no, sorry, honey-bunny text messages with my girlfriend don't count in this sense of the word because, at the end of the day, no one really cares enough about those type of things [and our messaging is somewhat "innocent" stuff in any case]) I'm going to use some real measures like strong encryption. Until that day, I'm not going to be bothered and just keep good care of my device.
"The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance...."
Really? If someone is video recording you to gain the password to your computer, you are obviously in deep shit. I suggest you worry less about the password on your personal device, that contains no highly confidential CIA material, and worry about the guy following you. Security is great, but what do all of you have on your devices that is so important that you keep secret? I really can't imagine why anyone would want anything off my computer. There is literally nothing to be gained.
Why not have people dance in front of a Kinnect to authentify???!!! Mornings in the offfice would be funnier...
Only fags type on dvorak.
Fags, and basement dwellers.
"trust, but verify"
Passwords keep people on the honest side for the most part. If you don't use a password, you're open game.
-- This space for lease, low setup fee, inquire within!
Jeezus! Why not just use a keyboard and enter a password? I know that I would rather deal with a 101 key keyboard rather than a changing array of 256 random pictures!
Not only is it easier to observe than a typed password, the user's fingerprints will be on the monitor. It would almost certainly reduce the complexity of cracking the user's account.
Doesn't work. Just rerun the picture test enough times to deduce that the constant is that you always get cars and flowers, but other items are subject to change. So then by induction, you try one more thing. Three constant things. Well then there are only 6 ways to choose 2 elements. Fine, make all say, 9 pictures constant "things", one of which is a car and one of which is a flower. How many 2-permutations? 72.