Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Windows 8's Picture Password

Posted by timothy on from the guy-with-a-video-camera-also-a-threat dept.

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

14 of 206 comments (clear)

  1. Video?! by Anonymous Coward · · Score: 5, Interesting

    Just look at the greasy finger marks

    1. Re:Video?! by pclminion · · Score: 5, Interesting

      Right. Because other than logging in, nobody ever touches the screen of their touchscreen device. Furthermore, typing a password on a touchscreen keyboard doesn't leave smudges that could be seen by anyone... Come on dude.

      I actually have a BUILD tablet (the ones MS handed out in September) and I use the picture login. It keeps the tablet private enough for my purposes. Of course, my password is to simply triple-tap on a particular spot on the image, so it doesn't leave a grease trail that stands out, particularly.

    2. Re:Video?! by hawguy · · Score: 5, Interesting

      Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

      I'm not so sure I trust the math, since the math is only part of the equation. (no pun intended...well, maybe it was)

      They claim that a 3 tap password has 2.7M combinations, but that's only true if each of the coordinates on the screen was equally likely to be tapped.

      But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

      Likewise, instead of a single line resulting in 1,949 unique gestures, in reality there are only 6 likely candidates. (and I bet most of the time if I draw the line from the face of the guy holding the dog's leash to the dog, then I'll have guessed correctly)

      Sure, someone may decide to tap on the lower left corner of the blank wall to make their passcode more secure, but the average person will probably stick with the faces.

    3. Re:Video?! by pruss · · Score: 5, Informative

      There is still the question of getting the swipes in the right order.

      When I wrote a PictureLogin beta app for Palms (back in 2007; no, it's not prior art for the MS patent, as it was tap-only rather than swipe), I made PictureLogin act as a quick login screen, with an immediate fallback to the default passkey login if it failed. It would be very unlikely an attacker would get in on the first try, but it would allow users to have a very fast login with as few as two taps, or maybe even with only one if one was willing to take a risk. That would also help with the fingerprint problem. I think I was also thinking about some security-by-obscurity options, such as a user using some fake form as their PictureLogin image, so that someone who stole or found the device would not know that it's actually a PictureLogin login screen. You turn it on, and you see some normal Palm screen. You tap once or twice in the right place(s) and you're in, and you tap even once in the wrong place and fall back. I never got around to a full release of PictureLogin, though the code is open source.

  2. Passwords susceptible to surveillance, more at 11. by Anpheus · · Score: 5, Insightful

    Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.

    Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.

  3. Well of course not... by DrEldarion · · Score: 5, Insightful

    Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.

    The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.

    1. Re:Well of course not... by Opportunist · · Score: 5, Insightful

      I dare to disagree. Bad security can actually be worse than no security. For more than one reason.

      First, the obvious one: People rely on security and act as if they're protected even though they are in fact not.

      The less obvious one is that a faulty and flawed security mechanism actually offers another attack vector. To use an example from a real security problem, imagine a door without a lock and no handle, opening to the outside. Without handle or lock, the door cannot be opened from the outside, since there is no way for you to pull at it, and pushing it won't do you no good. And a good, solid oak door is quite hard to bash in. Add a lock and you not only offer a point where an attacker can actually put a hook, you also have to weaken the door to apply the lock. If the lock is now flawed and easy to pick, you actually lowered the security of the door by adding a lock.

      It's the same with flawed IT security mechanisms.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Well of course not... by bherman · · Score: 5, Insightful

      Taking your analogy a bit further..... While you may have a more secure door without the lock, you also have what is commonly referred to as a wall. Without a way to use the door it is no longer serving it's intended purpose. The most secure computer is one that is not on a network and cannot be physically accessed. Once you actually need to access it you are now weighing the tradeoff between usability and security. The picture password is intended to provide a way for users who wouldn't otherwise protect their device with a low impact way of doing so.

      --
      Error: Sig not found.
  4. I seem to recall an old standard . . . by mmell · · Score: 5, Insightful
    "Something you have, something you know and something you are. Pick two out of three."

    Hence, RSA tokens + passwords (something you have + something you know)

    Smart cards + biometrics (not perfect, but something you have + something you are)

    Or even all three, for the truly paraniod (smart card + biometric scan + password)

    Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.

    What next, DNA + mind scan + a password > 512 bytes?

    1. Re:I seem to recall an old standard . . . by Anrego · · Score: 5, Insightful

      It has to scale to the requirement for security.

      My slashdot account doesn't need three factor authentication, however I wish my bank would have at least 2 (seriously, I've yet to find any banks in Canada, let alone my province (Nova Scotia) that offer something beyond a password. The hell!).

  5. Windows 8 security sucks, but... by HideyoshiJP · · Score: 5, Funny

    For only $99.95, you can buy our three factor authentication software for one year! That's right, keep criminals from stealing your digital camera pictures of your cat for a nominal fee! I'm willing to bet this picture security is no less secure than typing on a keyboard that's visible on the screen and combining it with the screen smudges. Domains probably won't use this authentication anyway, or at least it'll be optional.

  6. How many memorable ways can one gesture a photo? by DanLake · · Score: 5, Funny

    So QUERTY becomes "Head, Shoulders, Knees and Toes". I'm guessing in many cases that the picture itself would suggest how it was to be interacted with.

  7. Re:How many memorable ways can one gesture a photo by Anonymous Coward · · Score: 5, Funny

    How the hell do you typo QWERTY?

  8. Re:Another problem by qbast · · Score: 5, Insightful

    - Hey, give it back your bastard! Eh, at least he is not going to get any of my secret data - it is fingerprint protected!
    - What are you doing with this knife?! Aaaaaaaargh...
    - You sick fuck! And what makes you so sure I use right index finger anyway? No, wait, this was just a joke!
    - Omg, he has an axe too ... Leave me at least left hand, pleeaseee!
    - Well, I can't use fingerprint scanner anymore so I will get a laptop with iris scanner. What could go wrong?