Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Windows 8's Picture Password

Posted by timothy on from the guy-with-a-video-camera-also-a-threat dept.

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

3 of 206 comments (clear)

  1. Video?! by Anonymous Coward · · Score: 5, Interesting

    Just look at the greasy finger marks

    1. Re:Video?! by pclminion · · Score: 5, Interesting

      Right. Because other than logging in, nobody ever touches the screen of their touchscreen device. Furthermore, typing a password on a touchscreen keyboard doesn't leave smudges that could be seen by anyone... Come on dude.

      I actually have a BUILD tablet (the ones MS handed out in September) and I use the picture login. It keeps the tablet private enough for my purposes. Of course, my password is to simply triple-tap on a particular spot on the image, so it doesn't leave a grease trail that stands out, particularly.

    2. Re:Video?! by hawguy · · Score: 5, Interesting

      Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

      I'm not so sure I trust the math, since the math is only part of the equation. (no pun intended...well, maybe it was)

      They claim that a 3 tap password has 2.7M combinations, but that's only true if each of the coordinates on the screen was equally likely to be tapped.

      But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

      Likewise, instead of a single line resulting in 1,949 unique gestures, in reality there are only 6 likely candidates. (and I bet most of the time if I draw the line from the face of the guy holding the dog's leash to the dog, then I'll have guessed correctly)

      Sure, someone may decide to tap on the lower left corner of the blank wall to make their passcode more secure, but the average person will probably stick with the faces.