Slashdot Mirror
The Problem With Windows 8's Picture Password
alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."
Just look at the greasy finger marks
...which are obviously not prone to being videotaped, like passwords typed into a keyboard, 2 factor tokens that cannot be stolen, smart cards with super hard to guess 4 digit PINs, etc.
Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.
Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.
The lock on your diary offers little protection from a skilled locksmith most can be opened with a simple bent piece of metal.
If you have someone following you around with cameras trying to capture your login info to use later when they have physical access to your machine a traditional password probably isn’t going to cut it either. This provides the same kind of “guy walking by” protection as traditional passwords do. Ok, maybe less.. but still. Maybe this will actually push people towards more secure auth for serious things by highlighting how insecure a basic password is.
All that said, I think it’s a pretty stupid feature ;p
Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.
The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.
I could unlock my friend's Android phone just by studying the smudge patterns on the touchscreen. I imagine this would be just as easy.
Then you can use the actual password on the on-screen keyboard. The picture password is just an optional convenience feature.
Keyboard keystrokes aren't just as easy to record?
Hence, RSA tokens + passwords (something you have + something you know)
Smart cards + biometrics (not perfect, but something you have + something you are)
Or even all three, for the truly paraniod (smart card + biometric scan + password)
Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.
What next, DNA + mind scan + a password > 512 bytes?
Then you can use the actual password on the on-screen keyboard. The picture password is just an optional convenience feature.
Thank you for being a sensible person. :) Not everybody needs a 12800000 bit security system to get into their windows touch screen device.
Here are the links to the relevant Microsoft blog posts:
http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx
http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx
For only $99.95, you can buy our three factor authentication software for one year! That's right, keep criminals from stealing your digital camera pictures of your cat for a nominal fee! I'm willing to bet this picture security is no less secure than typing on a keyboard that's visible on the screen and combining it with the screen smudges. Domains probably won't use this authentication anyway, or at least it'll be optional.
So QUERTY becomes "Head, Shoulders, Knees and Toes". I'm guessing in many cases that the picture itself would suggest how it was to be interacted with.
The WILL forget their password. We have laptops here with fingerprint scanners. Everyone who uses the scanner (optional) has forgotten their password.
If I were God, wouldn't I protect my churches from acts of me?
"Good" is in this case equivocal. Are picture passwords highly secure? Probably not. SO they aren't very good in that sense. Are they easy to use and secure enough for most purposes? Yes, making them extremely good for the average user. Which makes them better security in many ways than multi-factor authentication, which would be absurd for a tablet device that isn't carrying top-secret documents. As people have pointed out many times, complex security often ends up being less secure, as the user has to find ways of remembering long passwords, gets sick of the wasted time and just used "1234" for the both of the redundant passwords, or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Has he even tried this? I can't reliably login using the picture password setting, and I'm the one that set up the "password". I'm not convinced a video recording would suffice. I could, just as easily, video record your keyboard from a distance, but that's not going to net you my password very reliably either. Not unless you're a chicken pecker.
Joseph Elwell.
Who set these limits anyway? How is anybody going to brute force a password within a few tries. The combinations for a 8 character pass are massive. Something more reasonable would be 50 for a timeout and reoccurance for a lockout.
You remember the passwords of the old days that your users had? That were the names of their loved ones, their birthday or the ever popular "test", "password" and "12345"?
Guess what, they'll get a revival. For the same damn reason: People have no idea about security and they don't give a fuck about it. They prefer easy to remember passwords to secure ones. Just that with picture passwords, unlike standard typed ones, it's kinda hard to implement password security standards.
Why it's more insecure than typed passwords? Well, take your average photo. Now imagine what 4 points a person might be touching in it. Can you spot more than 6 "sensible" spots? People will choose points in the picture that stand out, and there won't be many more than 4-6 points that stand out. Unless some kind of 3-strikes-rule gets implemented (not bloody likely on a private computer, or even corporate computers after helpdesk had to reset the password for the n-th time because people failed to hit the right spot on their picture), it just takes rather few attempts at "connect-the-dots" before you find one that fits.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How the hell do you typo QWERTY?
I have heard about "image" password that sound like they could work.
Your password could be "car" and "Flower". You would be presented with a "random" photo that had lots of things in it - but only a single car and flower. Humans can pick out the car and flower easily - even when presented with a new photo. Harder to automaticly hack.
Of course it's not foolproof. For that I give you xkcd.
http://xkcd.com/538/
What makes me worry about Win8 is them pressing hard to merge Win8 with their next console OS. I sincerely hope this will not be pulled through. It's already bad enough that you need a Windows Live account for more and more games you try to play on your PC, but pretty much being forced to have one gets kinda ridiculous.
And I fully expect that to happen. I just got a Windows OS based cellphone at work (not my choice, mind you...). No Zune account, no system update. Think it will be different with Win8?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Am I the only one that has seen the film adaptation of Johnny Mnemonic? Only government-sponsored dolphins will be able to crack into Windows 8 with this enabled!
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
To be fair he *is* an expert in poor security.
One of these is not like the other.
Anons need not reply. Questions end with a question mark.
- Hey, give it back your bastard! Eh, at least he is not going to get any of my secret data - it is fingerprint protected! ... Leave me at least left hand, pleeaseee!
- What are you doing with this knife?! Aaaaaaaargh...
- You sick fuck! And what makes you so sure I use right index finger anyway? No, wait, this was just a joke!
- Omg, he has an axe too
- Well, I can't use fingerprint scanner anymore so I will get a laptop with iris scanner. What could go wrong?
I do not use a QWERTY keyboard, you insensitive clod!
Score: i, Imaginary
I'm sure it'll keep young children out, and keep the prankster in your dorm from loading up your computer with gay porn.
No, I will not work for your startup
Lame - most people click on same things; years ago somebody did this on a website along with stats on the clicks and you could easily see that people picked the same stuff just like they do with passwords... except passwords are far more flexible than a few x/y coordinates.. sure you could save a ton of them trying to make a simple signature which would help greatly but it wouldn't be any greater than a signature, which is something that doesn't compare to a decent password.
I'm sure we will hear of people having to calibrate their touch screens, wash their hands, configure a new touch screen, or leave wear marks on their login screen. At least with a keyboard you touch it to use it for a lot of purposes besides login and because its a simple array of buttons there is less to go wrong or configure (try configuring something when you can't login.)
Democracy Now! - uncensored, anti-establishment news
Because I get aoeu when I type ASDF.
In Soviet Russia, articles before post read *you*!
or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).
To be fair, UAC was probably the most annoying security feature I have used in the modern era. I don't know if the threshold is just set ridiculously low, or what, but with UAC on you can hardly do a fucking thing without a window popping up asking if you would like to allow the program to run.
Use a picture of a keypad.
Because the Android "connect the dots" is so much better. Not to mention using a standard 10 key on iPhone. At least somebody is trying.
How the hell do you typo QWERTY?
Good question and thank you kind AC for pointing it out. I guess it happened because my fingers don't willingly type misspelled words and I type 'query' about a million times more often than I type qwerty.
How the hell do you typo QWERTY?
ASDFG
Knowledge is power. Knowledge shared is power lost.
The "things" that matter the most to me, my most valuable "things", are protected by a flimsy wooden door with easily breakable hinges and easily pickable locks - my wife and kids. I would think if you apply your logic, then unless your wife and kids were locked up in a vault in, say, fort knox, you would consider it unsecure?
My point being that it's a risk/reward thing. If you have something on your tablet that needs 3 factor authentication, you would have 3 factor authentication. But not everything needs 3 factor authentication. I don't need to lock up my family in fort knox. Just like I don't need what I have on my tablet to be protected by a 3 factor auth.
That could work if you had pictures with multiple objects. Something like cat-ball-car ... But you would need some crowd sourcing to generate the data. Or use something like Settlers of Cattan pieces, or Magic the Gathering cards. Click 3 roads or 5 mana symbols.
Bonus points if you built a modular system.. So people can make their own image packs... Allowing for more "inside jokes".
But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.
In that case... don't choose an photo of 2 people and a dog.
What you're saying is "This system has very poor security, if they choose the pictures poorly and each picture has very few probable combinations". Pretty obvious answer is: Don't choose such pictures. I'd guess that before they choose a picture for this purpose, they do some testing on what kind of patterns people use and discard the pictures where there is too little distribution. Of course, users may always use the most obvious pattern and they might be able to choose a picture themselves and use too simple picture... but users can also choose very stupid passwords.
Wouldn't it be prudent for the inventor of "RSA's SecurID token" to say that basically any security system other than his is ineffective?
Those are two different problems. Typically a brute force attack would be carried out against the password hash. So you get access to the hard disk and you want to figure out some guy's domain credentials. That's the 8+ digit password that's slow to brute force. The comparison here is against 4 to 6 digit pins you find on most tablets, eg ipad. The hardware holds the encryption keys and only allows a few attempts before permanently destroying the decryption key. That effectively erases the device. So in cases such as phones and tablets where you have trusted hardware, you only need to worry about 5 attempts. If you're dealing with an older-style system where the password hash can be easily retrieved from the hardware to brute-force externally, you need a much larger set of password combinations.
And here I thought the major problem would be "I'll feel stupid using it." ;)
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
Does that force Windows to allow any login? Seems to me like it would just lock up the entire system and no one would be able to get in.
All the world's a CPU, and all the men and women merely AI agents
Your biometrics are mandatory and will appear on facebook or on the FBI most wanted list *eek*
All cows eat grass!
http://cs.dartmouth.edu/~averyyen/CCP/project.pdf
But seriously, wouldn't anyone actually coding this system up for production use quickly realize that some points in a picture are going to be chosen more often than others?
coding is life
Well, if the computer is configured to even let a boot CD load up, then I don't see why they can't just use Knoppix to get their files off the system.
And that photo of Felicia Day the Slashdotter was using as his security picture? Eleven out of ten security specialists guessed two points on the touch screen in less than a second.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
where to goo from here .... ....
* In case u lost password.
* Or the OS goffed up with some issue which is more likely ....how to get back
* In case some Crackers got in they can replace the Image.
* two users using same Image?
Then you can use the actual password on the on-screen keyboard.
And if they use the on-screen password to mistype the actual password intentionally, enough times to get the unit to lock out / self-destruct, as their form of deviousness ?
The problem with entering an actual password using an on-screen keyboard, is that this is easily videotaped. And therefore insecure.... oh wait...
Just using letters and digits, those 8 million combinations are roughly equal to a 4 character password (~2 million combinations, or ~15 million combinations if you also allow caps).
So it would be 3 drags vs. 4 taps (on a keyboard)... wooptidoo.
Security risks are never 100% prevented, it is all about risk mitigation. This is better as a user experience than password complexity rules that cause a user to right down his password on a sheet of paper. For the majority of regular users, nobody is going to go through the expense and trouble of these paranoid scenarios that security solutions companies try to convince you are an imminent threat. The more likely threat is what I call the 'gun to the head attack'. In all instances it is cheaper and easier to use the threat of physical violence to gain access. And nothing protects against that really. Moral of the story, do not keep sensitive data on an end point device.
All of these would help secure picture passwords and protect against snoopers.
Warning, incoming maths.
Say you've a face photo, that's got 6 possible active areas (eyes, nose, mouth, ears). Four taps would mean 216 combinations. Not amazing.
However what if you allowed multiple gestures? If you, for example, forced every tap two be a swipe between two of the possible areas that changes a 1/6 chance of getting it to a 1/30 chance (1 in 6 of getting the start, 1 in 5 of the finish). Add that to the taps, that's a 1/36, add a circle around an area, 1 in 42 (there are probably other motions you can do but I'll leave it at that.
That means, provided a user doesn't stick to taps, you've odds of 1 in 3111696 of randomly guessing how a face was interacted with in 4 motions. Compared to 1 in 9999 for a pin
It's less prone to shoulder search too. It's far easier to see and remember '1823' than 'circle around left eye, nose to right ear, left ear to mouth, tap right eye', the smudges and fingerprints on the screen are harder to understand too.
Honestly, I have seen more than few of my friends using android phone enter the grid swipe only once... and I think still remember every single one of them. I myself use the grid swipe too, but I also enter the PIN for my SIM card when I boot the device up. I consider the swipe the grid to be more of a "keypad lock" function than anything even resembling actual security from data confidentiality standpoint.
If I ever use my android device to hold anything really confidential (no, sorry, honey-bunny text messages with my girlfriend don't count in this sense of the word because, at the end of the day, no one really cares enough about those type of things [and our messaging is somewhat "innocent" stuff in any case]) I'm going to use some real measures like strong encryption. Until that day, I'm not going to be bothered and just keep good care of my device.
I guess the Unix folk will need a dance pad, since it's purely command driven...
-- This space for lease, low setup fee, inquire within!
"trust, but verify"
Passwords keep people on the honest side for the most part. If you don't use a password, you're open game.
-- This space for lease, low setup fee, inquire within!
Jeezus! Why not just use a keyboard and enter a password? I know that I would rather deal with a 101 key keyboard rather than a changing array of 256 random pictures!
The "things" that matter the most to me, my most valuable "things", are protected by a flimsy wooden door with easily breakable hinges and easily pickable locks - my wife and kids. .
Valuable to you, is what you meant to say.
Doesn't work. Just rerun the picture test enough times to deduce that the constant is that you always get cars and flowers, but other items are subject to change. So then by induction, you try one more thing. Three constant things. Well then there are only 6 ways to choose 2 elements. Fine, make all say, 9 pictures constant "things", one of which is a car and one of which is a flower. How many 2-permutations? 72.