The Problem With Windows 8's Picture Password

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

Re:Video?!

[pruss]

There is still the question of getting the swipes in the right order.

When I wrote a PictureLogin beta app for Palms (back in 2007; no, it's not prior art for the MS patent, as it was tap-only rather than swipe), I made PictureLogin act as a quick login screen, with an immediate fallback to the default passkey login if it failed. It would be very unlikely an attacker would get in on the first try, but it would allow users to have a very fast login with as few as two taps, or maybe even with only one if one was willing to take a risk. That would also help with the fingerprint problem. I think I was also thinking about some security-by-obscurity options, such as a user using some fake form as their PictureLogin image, so that someone who stole or found the device would not know that it's actually a PictureLogin login screen. You turn it on, and you see some normal Palm screen. You tap once or twice in the right place(s) and you're in, and you tap even once in the wrong place and fall back. I never got around to a full release of PictureLogin, though the code is open source.