Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Windows 8's Picture Password

Posted by timothy on from the guy-with-a-video-camera-also-a-threat dept.

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

20 of 206 comments (clear)

  1. Passwords susceptible to surveillance, more at 11. by Anpheus · · Score: 5, Insightful

    Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.

    Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.

  2. In other news by Anrego · · Score: 4, Insightful

    The lock on your diary offers little protection from a skilled locksmith most can be opened with a simple bent piece of metal.

    If you have someone following you around with cameras trying to capture your login info to use later when they have physical access to your machine a traditional password probably isn’t going to cut it either. This provides the same kind of “guy walking by” protection as traditional passwords do. Ok, maybe less.. but still. Maybe this will actually push people towards more secure auth for serious things by highlighting how insecure a basic password is.

    All that said, I think it’s a pretty stupid feature ;p

  3. Well of course not... by DrEldarion · · Score: 5, Insightful

    Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.

    The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.

    1. Re:Well of course not... by Opportunist · · Score: 5, Insightful

      I dare to disagree. Bad security can actually be worse than no security. For more than one reason.

      First, the obvious one: People rely on security and act as if they're protected even though they are in fact not.

      The less obvious one is that a faulty and flawed security mechanism actually offers another attack vector. To use an example from a real security problem, imagine a door without a lock and no handle, opening to the outside. Without handle or lock, the door cannot be opened from the outside, since there is no way for you to pull at it, and pushing it won't do you no good. And a good, solid oak door is quite hard to bash in. Add a lock and you not only offer a point where an attacker can actually put a hook, you also have to weaken the door to apply the lock. If the lock is now flawed and easy to pick, you actually lowered the security of the door by adding a lock.

      It's the same with flawed IT security mechanisms.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Well of course not... by AngryDeuce · · Score: 3, Insightful

      Exactly. The weakest point in any security system will always be the user, and unfortunately, the user is the hardest weakness to combat.

      Consider forcing password changes at certain intervals: 99% of the time, the new password is the same as the old one with a variation of a single character; e.g., "Flower" becomes "Flower1". Then, next time there's a forced password change, they just set it right the hell back to "Flower", or go up to "Flower2".

      Then there's the systems where the password is provided, usually gibberish alphanumeric of a certain character length. Nobody can remember that shit, so what does everyone do? Write it the hell down somewhere, or store it in a text file; usually fucking called "Passwords", because people are retards.

      No matter how elaborate your security is, the user will find a way to fuck it up. A door won't be closed, a document won't be shredded, a workstation won't be locked, a security protocol won't be followed, and it's always for the sake of the user's convenience. The more of a pain in the ass it is, the more likely it will be compromised by laziness on the part of the user. That's just how people are; not all of them, but a lot of them.

      I mean, stories of people getting hacked or their identities stolen are in the news all the time, and the most common user-created passwords are still ridiculous shit like "1234" and "ABCDEFG". Clearly people would rather accept the risk of a weak password for the sake of convenience. Either that or they really are retarded.

    3. Re:Well of course not... by bherman · · Score: 5, Insightful

      Taking your analogy a bit further..... While you may have a more secure door without the lock, you also have what is commonly referred to as a wall. Without a way to use the door it is no longer serving it's intended purpose. The most secure computer is one that is not on a network and cannot be physically accessed. Once you actually need to access it you are now weighing the tradeoff between usability and security. The picture password is intended to provide a way for users who wouldn't otherwise protect their device with a low impact way of doing so.

      --
      Error: Sig not found.
    4. Re:Well of course not... by Endo13 · · Score: 3, Insightful

      Your door analogy is fundamentally flawed, because the user has to get in some way, otherwise the house (or PC) is useless. The same applies to both. On the house, sure that particular door is difficult to break into because you can't open it from the outside. But somewhere on another wall there's another door that can be opened from the outside, and will have traditional security measures.

      That's the whole point of security - to allow authorized entry while making it difficult for unauthorized entry. Your suggestion of making entry impossible is mind-bogglingly stupid in this context.

      --
      There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
    5. Re:Well of course not... by ghostdoc · · Score: 4, Insightful

      That's just how people are; not all of them, but a lot of them.

      I mean, stories of people getting hacked or their identities stolen are in the news all the time, and the most common user-created passwords are still ridiculous shit like "1234" and "ABCDEFG". Clearly people would rather accept the risk of a weak password for the sake of convenience. Either that or they really are retarded.

      Since clearly most people are not retarded, but are using the system as if they are retarded, then the system is the problem. Blaming the users is pointless, you're not going to get better human beings to use your system, so you've got to change the system.

      As XKCD and many others have pointed out, we have a pointlessly hard method of specifying passwords...if it's 'strong' it can't be easily remembered, and will be written down or re-used on multiple occasions. If it's easy to remember then it's easy to guess. In other words, we have a system that is easy for computers to implement, but hard for humans to use.

      There must, surely, be better ways of doing this that work with the way the human brain works to encourage stronger security. After all, it's a lot easier to change the security implementation than it is to change the human brain. We need to find a better system and not just stick with the current broken one and blame the users for being retards.

      I'm glad someone is trying something different that might make security better.

      --
      Business/App ideas are like arseholes: everyone's got one, they're mostly shit, but very rarely they contain a diamond
  4. It also leaves smudges by Piata · · Score: 3, Insightful

    I could unlock my friend's Android phone just by studying the smudge patterns on the touchscreen. I imagine this would be just as easy.

  5. Re:Video?! by adonoman · · Score: 4, Insightful

    Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

  6. I seem to recall an old standard . . . by mmell · · Score: 5, Insightful
    "Something you have, something you know and something you are. Pick two out of three."

    Hence, RSA tokens + passwords (something you have + something you know)

    Smart cards + biometrics (not perfect, but something you have + something you are)

    Or even all three, for the truly paraniod (smart card + biometric scan + password)

    Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.

    What next, DNA + mind scan + a password > 512 bytes?

    1. Re:I seem to recall an old standard . . . by Anrego · · Score: 5, Insightful

      It has to scale to the requirement for security.

      My slashdot account doesn't need three factor authentication, however I wish my bank would have at least 2 (seriously, I've yet to find any banks in Canada, let alone my province (Nova Scotia) that offer something beyond a password. The hell!).

  7. Re:Unlike any other authentication... by Fluffeh · · Score: 3, Insightful

    The interesting thing to me is that on a photo there would be obvious "points of interest". If you had a picture of a few friends, you would likely use their faces as touch points. If you had a picture of a hillside with some houses, those would likely be the points that get touched. Don't get me wrong, I like the idea of this rather novel password concept, but I think that in terms of security (at least for the most part) that any photo would have obvious points that narrow down the possibilities.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  8. Re:Another problem by qbast · · Score: 5, Insightful

    - Hey, give it back your bastard! Eh, at least he is not going to get any of my secret data - it is fingerprint protected!
    - What are you doing with this knife?! Aaaaaaaargh...
    - You sick fuck! And what makes you so sure I use right index finger anyway? No, wait, this was just a joke!
    - Omg, he has an axe too ... Leave me at least left hand, pleeaseee!
    - Well, I can't use fingerprint scanner anymore so I will get a laptop with iris scanner. What could go wrong?

  9. Re:Video?! by Electricity+Likes+Me · · Score: 3, Insightful

    Its not about the probability of other fingerprints on the device - all you need is a fairly good idea of where someone has been tapping on a photo, and from the photo you will probably be able to guess which points they've used.

  10. Re:Video?! by Anonymous Coward · · Score: 4, Insightful

    As someone who has owned several touch-screen devices over the last decade, I've noticed that it's a common occurrence for the oil on fingers to accumulate in a tell-tale trail on the screen if you're often swiping a particular pattern. It's the primary reason I switched to a numeric pin rather than the pattern-based authentication on my Android phone. Doesn't seem to happen with taps as it does with swiping.

  11. Re:Video?! by rsborg · · Score: 4, Insightful

    Just look at the greasy finger marks

    You know, the OS could mitigate this quite easily by moving around the picture, reorienting or rotating it. This would eliminate the benefit of muscle-memory, but allow it to be more secure.

    --
    Make sure everyone's vote counts: Verified Voting
  12. Re:Video?! by KlomDark · · Score: 3, Insightful

    Yeah, you can do that on a computer with a REAL screen, not those little iToys that all the cool kids have to carry around with them these days.

    Can't wait for this fad to die down a bit so we can quit hearing all these retarded stories about "The Desktop Computer is DOOOOOOMMMEEEDD!" all the time.

    Sure, it's eventually doomed, but not for a long time still. There are so many things that I do on a triple headed desktop that I would never want to attempt on a mobile or pad. (Coding, taxes, etc.) And some things are more convenient on a mobile device. (Driving directions, reading the news over lunch, etc.)

    CricKet MessageMate II WTF! ;)

  13. hmm by stevenfuzz · · Score: 3, Insightful

    Wouldn't it be prudent for the inventor of "RSA's SecurID token" to say that basically any security system other than his is ineffective?

  14. Re:You assume that designers are idiots by hawguy · · Score: 3, Insightful

    But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

    In that case... don't choose an photo of 2 people and a dog.

    What you're saying is "This system has very poor security, if they choose the pictures poorly and each picture has very few probable combinations". Pretty obvious answer is: Don't choose such pictures. I'd guess that before they choose a picture for this purpose, they do some testing on what kind of patterns people use and discard the pictures where there is too little distribution. Of course, users may always use the most obvious pattern and they might be able to choose a picture themselves and use too simple picture... but users can also choose very stupid passwords.

    That's my point exactly - in the lab, I'm sure this is a very secure system and can be made to be much more secure than a traditional passphrase. But in the real world, people see security as something that gets in the way, so they choose something easy to use, not something secure, so this ends up being not any more secure than any other system.