Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 8's Picture Passwords Weaker Than Users Might Hope

Posted by timothy on from the they-look-fine-at-fort-meade dept.

colinneagle writes with word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws -- some of them specific to a password system based on gestures, and some analogous to weaknesses in conventional passwords entered by keyboard. "The research found that the strength of picture gesture password has a 'strong connection' to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 — 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is 'capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.'"

6 of 51 comments (clear)

  1. Boop! by Anonymous Coward · · Score: 3, Funny

    Apparently circling the guy's bald head, and booping the girls on the noses is the 12345 of picture password gestures.

  2. Not good idea to use passwords a monkey can enter by JoeyRox · · Score: 4, Funny

    Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

  3. Re:Not good idea to use passwords a monkey can ent by Jeremiah+Cornelius · · Score: 5, Funny

    Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

    Windows 8?

    Who DOESN'T throw their feces at the screen?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  4. It was never intended to be super strong by Barlo_Mung_42 · · Score: 4, Informative

    There is also an option to log in with a pin like on a phone. Both are meant there for convenience, not to be a strong lock. In order to take advantage of either an attacker would need physical access.

    1. Re:It was never intended to be super strong by HideyoshiJP · · Score: 5, Insightful

      Exactly this. Passwords like picture and PIN passwords are meant to keep your kids from installing software and/or getting to your porn collection/browser history. These types of passwords aren't exactly meant to keep you safe from more nefarious individuals.

  5. Re:Not good idea to use passwords a monkey can ent by roc97007 · · Score: 4, Funny

    My boss hates it when we do that.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.