The Problem With Windows 8's Picture Password

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

Passwords susceptible to surveillance, more at 11.

[Anpheus]

Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.

Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.

In other news

[Anrego]

The lock on your diary offers little protection from a skilled locksmith most can be opened with a simple bent piece of metal.

If you have someone following you around with cameras trying to capture your login info to use later when they have physical access to your machine a traditional password probably isn’t going to cut it either. This provides the same kind of “guy walking by” protection as traditional passwords do. Ok, maybe less.. but still. Maybe this will actually push people towards more secure auth for serious things by highlighting how insecure a basic password is.

All that said, I think it’s a pretty stupid feature ;p

Well of course not...

[DrEldarion]

Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.

The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.

Re:Well of course not...

[Opportunist]

I dare to disagree. Bad security can actually be worse than no security. For more than one reason.

First, the obvious one: People rely on security and act as if they're protected even though they are in fact not.

The less obvious one is that a faulty and flawed security mechanism actually offers another attack vector. To use an example from a real security problem, imagine a door without a lock and no handle, opening to the outside. Without handle or lock, the door cannot be opened from the outside, since there is no way for you to pull at it, and pushing it won't do you no good. And a good, solid oak door is quite hard to bash in. Add a lock and you not only offer a point where an attacker can actually put a hook, you also have to weaken the door to apply the lock. If the lock is now flawed and easy to pick, you actually lowered the security of the door by adding a lock.

It's the same with flawed IT security mechanisms.

Re:Well of course not...

[bherman]

Taking your analogy a bit further..... While you may have a more secure door without the lock, you also have what is commonly referred to as a wall. Without a way to use the door it is no longer serving it's intended purpose. The most secure computer is one that is not on a network and cannot be physically accessed. Once you actually need to access it you are now weighing the tradeoff between usability and security. The picture password is intended to provide a way for users who wouldn't otherwise protect their device with a low impact way of doing so.

Re:Well of course not...

[ghostdoc]

That's just how people are; not all of them, but a lot of them.

I mean, stories of people getting hacked or their identities stolen are in the news all the time, and the most common user-created passwords are still ridiculous shit like "1234" and "ABCDEFG". Clearly people would rather accept the risk of a weak password for the sake of convenience. Either that or they really are retarded.

Since clearly most people are not retarded, but are using the system as if they are retarded, then the system is the problem. Blaming the users is pointless, you're not going to get better human beings to use your system, so you've got to change the system.

As XKCD and many others have pointed out, we have a pointlessly hard method of specifying passwords...if it's 'strong' it can't be easily remembered, and will be written down or re-used on multiple occasions. If it's easy to remember then it's easy to guess. In other words, we have a system that is easy for computers to implement, but hard for humans to use.

There must, surely, be better ways of doing this that work with the way the human brain works to encourage stronger security. After all, it's a lot easier to change the security implementation than it is to change the human brain. We need to find a better system and not just stick with the current broken one and blame the users for being retards.

I'm glad someone is trying something different that might make security better.

Re:Video?!

[adonoman]

Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

I seem to recall an old standard . . .

[mmell]

"Something you have, something you know and something you are. Pick two out of three."

Hence, RSA tokens + passwords (something you have + something you know)

Smart cards + biometrics (not perfect, but something you have + something you are)

Or even all three, for the truly paraniod (smart card + biometric scan + password)

Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.

What next, DNA + mind scan + a password > 512 bytes?

Re:I seem to recall an old standard . . .

[Anrego]

It has to scale to the requirement for security.

My slashdot account doesn't need three factor authentication, however I wish my bank would have at least 2 (seriously, I've yet to find any banks in Canada, let alone my province (Nova Scotia) that offer something beyond a password. The hell!).

Re:Another problem

[qbast]

- Hey, give it back your bastard! Eh, at least he is not going to get any of my secret data - it is fingerprint protected!
- What are you doing with this knife?! Aaaaaaaargh...
- You sick fuck! And what makes you so sure I use right index finger anyway? No, wait, this was just a joke!
- Omg, he has an axe too ... Leave me at least left hand, pleeaseee!
- Well, I can't use fingerprint scanner anymore so I will get a laptop with iris scanner. What could go wrong?

Re:Video?!

As someone who has owned several touch-screen devices over the last decade, I've noticed that it's a common occurrence for the oil on fingers to accumulate in a tell-tale trail on the screen if you're often swiping a particular pattern. It's the primary reason I switched to a numeric pin rather than the pattern-based authentication on my Android phone. Doesn't seem to happen with taps as it does with swiping.

Re:Video?!

[rsborg]

Just look at the greasy finger marks

You know, the OS could mitigate this quite easily by moving around the picture, reorienting or rotating it. This would eliminate the benefit of muscle-memory, but allow it to be more secure.