Picture passwords promising, security researcher says
The security of Windows 8 picture passwords might not be as weak as some recent headlines indicate, and there are ways to maximize how hard they are to crack, researchers say.
Unlocking a Windows 8 machine by tapping points, circling objects, and drawing lines over an image on a touchscreen is no less secure than using a four-digit PIN to secure a cell phone's SIM card, says Sophos researcher Paul Ducklin on the NakedSecurity blog.
And by following advice issued by Microsoft itself, picture passwords can be made significantly more secure.
The issue came up when researchers at the Usenix Security Symposium proposed a scheme improving attackers' odds of defeating the picture passwords, and flashy headlines about the paper said the research found that picture passwords were easily cracked.
Picture password security admittedly can be not-so-great, Ducklin notes, depending on how many gestures are used and how many points of interest the security picture contains. A point of interest is an area in a picture such as a face, animal, building etc. that people may commonly choose to include in the password by tapping, circling or drawing a line to.
Microsoft has developed a formula for figuring out how many possible passwords can be squeezed out of a single image based on the number of gestures and points of interest—(m . (1+2 . 5 + (m -1)))n, where m is the number of points of interest in the photo and n is the number of gestures in the picture password. So the more points of interest in the picture and particularly the number of gestures can significantly increase the possibilities and hence the security.
Also, the types of gestures chosen can increase the difficulty of mimicking them. A circle is more difficult than a tap and a line is more difficult than a circle, Microsoft researchers say. So a password with five gestures, all taps, would be easier to guess than one with five gestures, all lines.
To discourage brute force attacks against picture passwords, the system defaults to a traditional text password after five failed attempts with gestures.