Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Windows 8's Picture Password

Posted by timothy on from the guy-with-a-video-camera-also-a-threat dept.

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

4 of 206 comments (clear)

  1. Re:Another problem by adonoman · · Score: 4, Informative

    Then you can use the actual password on the on-screen keyboard. The picture password is just an optional convenience feature.

  2. Re:Video?! by peragrin · · Score: 4, Informative

    you must not use finger touch tablets very often.

    I can always tell when someone plays a certian game on my phone, ipad, nook color. why? because the oils streaks have a pattern to them. certain games leave specific patterns. you may not know which is the begining. but if 1/3 the screen doesn't have any oil on it then those parts are ones you dont' have to think about.

    Take a standard password of 12 keys. Now with a glance eliminate 75 out of 101 keys on the keyboard. It becomes a whole lot easier to brute force now.

    --
    i thought once I was found, but it was only a dream.
  3. Re:Video?! by Mia'cova · · Score: 4, Informative

    The math used for comparison typically assumes that there are 10 points of interest in an image. Obviously there's a range depending on the image but most have at least 10. Just don't use Japan's flag as your image and you should be okay. Since lines are directional, when you say 6 likely candidates for lines, that works out to three points of interest: A->B, A->C, B->A, B->C, C->A, C->B. So that really isn't true at all.

    The meaty bit at the end of their math is this: "Assuming the average image has 10 points of interest, and a gesture sequence length of 3, there are 8 million possible combinations, making the prospect of guessing the correct sequence within 5 tries fairly remote."

    The table at the bottom is good to look through.
    http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx

    Bottom line, for 3 gestures on a typical image, 8 million > [10,000 to 1,000,000] (possibilities for a 4 to 6-digit pin, the valid comparison for this)

  4. Re:Video?! by pruss · · Score: 5, Informative

    There is still the question of getting the swipes in the right order.

    When I wrote a PictureLogin beta app for Palms (back in 2007; no, it's not prior art for the MS patent, as it was tap-only rather than swipe), I made PictureLogin act as a quick login screen, with an immediate fallback to the default passkey login if it failed. It would be very unlikely an attacker would get in on the first try, but it would allow users to have a very fast login with as few as two taps, or maybe even with only one if one was willing to take a risk. That would also help with the fingerprint problem. I think I was also thinking about some security-by-obscurity options, such as a user using some fake form as their PictureLogin image, so that someone who stole or found the device would not know that it's actually a PictureLogin login screen. You turn it on, and you see some normal Palm screen. You tap once or twice in the right place(s) and you're in, and you tap even once in the wrong place and fall back. I never got around to a full release of PictureLogin, though the code is open source.