Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Problem With Windows 8's Picture Password

timothy posted more than 2 years ago | from the guy-with-a-video-camera-also-a-threat dept.

Security 206

alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."

Sorry! There are no comments related to the filter you selected.

Video?! (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38465718)

Just look at the greasy finger marks

Re:Video?! (5, Interesting)

pclminion (145572) | more than 2 years ago | (#38465780)

Right. Because other than logging in, nobody ever touches the screen of their touchscreen device. Furthermore, typing a password on a touchscreen keyboard doesn't leave smudges that could be seen by anyone... Come on dude.

I actually have a BUILD tablet (the ones MS handed out in September) and I use the picture login. It keeps the tablet private enough for my purposes. Of course, my password is to simply triple-tap on a particular spot on the image, so it doesn't leave a grease trail that stands out, particularly.

Re:Video?! (3, Insightful)

Electricity Likes Me (1098643) | more than 2 years ago | (#38466272)

Its not about the probability of other fingerprints on the device - all you need is a fairly good idea of where someone has been tapping on a photo, and from the photo you will probably be able to guess which points they've used.

Re:Video?! (0)

Anonymous Coward | more than 2 years ago | (#38466292)

I touch the screen of my Android phone all the time but the greasy finger marks of its picture password are clearly visible. I expect a tablet screen to timeout and lock itself about as much as my phone does, but I might be wrong. From what I see the gestures on a Windows tablet lock screen are different from the Android ones but the problem should be the same. Furthermore the screen is bigger so the gestures are longer.

Anyway, whoever steals my phone will be able to break its security even if I'd use a PIN. If they don't, they'll sell it to somebody with the required expertise so I think that the only real security is keeping the phone in my pocket. I bet the same applies to a tablet or a computer. Maybe they can't read my encrypted data but they'll be able to flash and reformat it.

Re:Video?! (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38466568)

As someone who has owned several touch-screen devices over the last decade, I've noticed that it's a common occurrence for the oil on fingers to accumulate in a tell-tale trail on the screen if you're often swiping a particular pattern. It's the primary reason I switched to a numeric pin rather than the pattern-based authentication on my Android phone. Doesn't seem to happen with taps as it does with swiping.

Re:Video?! (4, Informative)

peragrin (659227) | more than 2 years ago | (#38466590)

you must not use finger touch tablets very often.

I can always tell when someone plays a certian game on my phone, ipad, nook color. why? because the oils streaks have a pattern to them. certain games leave specific patterns. you may not know which is the begining. but if 1/3 the screen doesn't have any oil on it then those parts are ones you dont' have to think about.

Take a standard password of 12 keys. Now with a glance eliminate 75 out of 101 keys on the keyboard. It becomes a whole lot easier to brute force now.

Re:Video?! (1)

Mia'cova (691309) | more than 2 years ago | (#38466606)

That's why many of the gestures are directional. Compared to a pin, it's much better. And a 4-6 digit pin on a phone/ipad/etc is definitely the main comparison here.

Re:Video?! (4, Insightful)

adonoman (624929) | more than 2 years ago | (#38465808)

Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

Re:Video?! (5, Interesting)

hawguy (1600213) | more than 2 years ago | (#38466068)

Even in the worst-case scenario where the computer was used for nothing but logging in with the picture password, the math works out that it's still more reliable than the 4-digit pin that many other devices use.

I'm not so sure I trust the math, since the math is only part of the equation. (no pun intended...well, maybe it was)

They claim that a 3 tap password has 2.7M combinations, but that's only true if each of the coordinates on the screen was equally likely to be tapped.

But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

Likewise, instead of a single line resulting in 1,949 unique gestures, in reality there are only 6 likely candidates. (and I bet most of the time if I draw the line from the face of the guy holding the dog's leash to the dog, then I'll have guessed correctly)

Sure, someone may decide to tap on the lower left corner of the blank wall to make their passcode more secure, but the average person will probably stick with the faces.

Re:Video?! (2)

FrootLoops (1817694) | more than 2 years ago | (#38466564)

You'd need to do some studies to see how non-uniform combination probabilities are. Asserting without proof that most people will choose easy-to-guess gestures is just as fallacious as just giving the number of unique combinations (which does not change) without discussing the underlying probability distribution.

Re:Video?! (1)

KlomDark (6370) | more than 2 years ago | (#38466612)

Why did my mental voice suddenly shift to a low monotone when I read that?

You assume that designers are idiots (1)

F69631 (2421974) | more than 2 years ago | (#38466622)

But if the security image is a photo with 2 people and a dog, against a white wall it's pretty likely that I can guess where the taps are, so I only have to guess the order.

In that case... don't choose an photo of 2 people and a dog.

What you're saying is "This system has very poor security, if they choose the pictures poorly and each picture has very few probable combinations". Pretty obvious answer is: Don't choose such pictures. I'd guess that before they choose a picture for this purpose, they do some testing on what kind of patterns people use and discard the pictures where there is too little distribution. Of course, users may always use the most obvious pattern and they might be able to choose a picture themselves and use too simple picture... but users can also choose very stupid passwords.

Re:Video?! (4, Insightful)

rsborg (111459) | more than 2 years ago | (#38466582)

Just look at the greasy finger marks

You know, the OS could mitigate this quite easily by moving around the picture, reorienting or rotating it. This would eliminate the benefit of muscle-memory, but allow it to be more secure.

Re:Video?! (3, Insightful)

KlomDark (6370) | more than 2 years ago | (#38466682)

Yeah, you can do that on a computer with a REAL screen, not those little iToys that all the cool kids have to carry around with them these days.

Can't wait for this fad to die down a bit so we can quit hearing all these retarded stories about "The Desktop Computer is DOOOOOOMMMEEEDD!" all the time.

Sure, it's eventually doomed, but not for a long time still. There are so many things that I do on a triple headed desktop that I would never want to attempt on a mobile or pad. (Coding, taxes, etc.) And some things are more convenient on a mobile device. (Driving directions, reading the news over lunch, etc.)

CricKet MessageMate II WTF! ;)

Re:Video?! (1)

KlomDark (6370) | more than 2 years ago | (#38466690)

Ha! Oops, that was supposed to be FTW, not WTF... :)

Unlike any other authentication... (1)

Anonymous Coward | more than 2 years ago | (#38465740)

...which are obviously not prone to being videotaped, like passwords typed into a keyboard, 2 factor tokens that cannot be stolen, smart cards with super hard to guess 4 digit PINs, etc.

Re:Unlike any other authentication... (3, Insightful)

Fluffeh (1273756) | more than 2 years ago | (#38465990)

The interesting thing to me is that on a photo there would be obvious "points of interest". If you had a picture of a few friends, you would likely use their faces as touch points. If you had a picture of a hillside with some houses, those would likely be the points that get touched. Don't get me wrong, I like the idea of this rather novel password concept, but I think that in terms of security (at least for the most part) that any photo would have obvious points that narrow down the possibilities.

Re:Unlike any other authentication... (3, Funny)

Anonymous Coward | more than 2 years ago | (#38465998)

If you had a picture of a few friends, you would likely use their boobs as touch points. FTFY

Re:Unlike any other authentication... (0)

Anonymous Coward | more than 2 years ago | (#38466426)

My friends are boobs!

Re:Unlike any other authentication... (1)

mabhatter654 (561290) | more than 2 years ago | (#38466394)

Anybody who really wants in us going to find other ways. If the device is stolen, they're most likely to want to wipe it and pawn it. If somebody is after information, they wont mess around and take it to somebody with skills.

That said, I still like KittenAuth. You could link to cheezburger and have an grid of constantly changing pictures. Then pick Kitten-puppy-turtle... Still easy to snoop with video, but again, anybody going to that trouble has done their homework.

Passwords susceptible to surveillance, more at 11. (5, Insightful)

Anpheus (908711) | more than 2 years ago | (#38465746)

Surely an accomplished individual like him could put out a serious paper on why picture passwords aren't good security, if they aren't. The math seemed alright in the Microsoft blog, so I don't know what the problem is.

Oh, I know what it is, he's the head of a company that offers alternative security products that use multi-factor authentication. *Of course* well implemented multi-factor auth is more secure than single-factor, but if he weren't in charge of a company trying to sell a product, would this article even exist? Probably not.

Re:Passwords susceptible to surveillance, more at (2, Informative)

Anonymous Coward | more than 2 years ago | (#38465856)

Re:Passwords susceptible to surveillance, more at (3, Informative)

Baloroth (2370816) | more than 2 years ago | (#38465886)

"Good" is in this case equivocal. Are picture passwords highly secure? Probably not. SO they aren't very good in that sense. Are they easy to use and secure enough for most purposes? Yes, making them extremely good for the average user. Which makes them better security in many ways than multi-factor authentication, which would be absurd for a tablet device that isn't carrying top-secret documents. As people have pointed out many times, complex security often ends up being less secure, as the user has to find ways of remembering long passwords, gets sick of the wasted time and just used "1234" for the both of the redundant passwords, or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).

Re:Passwords susceptible to surveillance, more at (1)

Anonymous Coward | more than 2 years ago | (#38466234)

or just turns off the security as soon as they can or ignores it entirely (Windows UAC under Vista).

To be fair, UAC was probably the most annoying security feature I have used in the modern era. I don't know if the threshold is just set ridiculously low, or what, but with UAC on you can hardly do a fucking thing without a window popping up asking if you would like to allow the program to run.

I have heard of a version of this that works.... (1)

alexander_686 (957440) | more than 2 years ago | (#38465976)

I have heard about "image" password that sound like they could work.

Your password could be "car" and "Flower". You would be presented with a "random" photo that had lots of things in it - but only a single car and flower. Humans can pick out the car and flower easily - even when presented with a new photo. Harder to automaticly hack.

Of course it's not foolproof. For that I give you xkcd.
http://xkcd.com/538/ [xkcd.com]

Re:Passwords susceptible to surveillance, more at (1)

mabhatter654 (561290) | more than 2 years ago | (#38466428)

Because the Android "connect the dots" is so much better. Not to mention using a standard 10 key on iPhone. At least somebody is trying.

Another problem (0)

tripleevenfall (1990004) | more than 2 years ago | (#38465750)

Another problem is that it's trivial to lock someone out by intentionally missing the password more than the allowed number of times.

Re:Another problem (4, Informative)

adonoman (624929) | more than 2 years ago | (#38465778)

Then you can use the actual password on the on-screen keyboard. The picture password is just an optional convenience feature.

Re:Another problem (1)

cyachallenge (2521604) | more than 2 years ago | (#38465852)

Then you can use the actual password on the on-screen keyboard. The picture password is just an optional convenience feature.

Thank you for being a sensible person. :) Not everybody needs a 12800000 bit security system to get into their windows touch screen device.

Re:Another problem (3, Informative)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#38465880)

The WILL forget their password. We have laptops here with fingerprint scanners. Everyone who uses the scanner (optional) has forgotten their password.

Re:Another problem (5, Insightful)

qbast (1265706) | more than 2 years ago | (#38466106)

- Hey, give it back your bastard! Eh, at least he is not going to get any of my secret data - it is fingerprint protected!
- What are you doing with this knife?! Aaaaaaaargh...
- You sick fuck! And what makes you so sure I use right index finger anyway? No, wait, this was just a joke!
- Omg, he has an axe too ... Leave me at least left hand, pleeaseee!
- Well, I can't use fingerprint scanner anymore so I will get a laptop with iris scanner. What could go wrong?

Re:Another problem (0)

Anonymous Coward | more than 2 years ago | (#38466368)

"Simon says, 'Teddybear.'"

Re:Another problem (1)

cyachallenge (2521604) | more than 2 years ago | (#38465938)

Who set these limits anyway? How is anybody going to brute force a password within a few tries. The combinations for a 8 character pass are massive. Something more reasonable would be 50 for a timeout and reoccurance for a lockout.

In other news (4, Insightful)

Anrego (830717) | more than 2 years ago | (#38465758)

The lock on your diary offers little protection from a skilled locksmith most can be opened with a simple bent piece of metal.

If you have someone following you around with cameras trying to capture your login info to use later when they have physical access to your machine a traditional password probably isn’t going to cut it either. This provides the same kind of “guy walking by” protection as traditional passwords do. Ok, maybe less.. but still. Maybe this will actually push people towards more secure auth for serious things by highlighting how insecure a basic password is.

All that said, I think it’s a pretty stupid feature ;p

Re:In other news (4, Funny)

mrclisdue (1321513) | more than 2 years ago | (#38465798)

All that said, I think it’s a pretty stupid feature ;p

Ah, but if you imagine goatse as the login photo...how brilliant is that?

cheers,

Re:In other news (1)

ottothecow (600101) | more than 2 years ago | (#38465898)

depends what you have to poke it with

Re:In other news (1)

Billlagr (931034) | more than 2 years ago | (#38466672)

Wow..what an awesome deterrent! Who would want to be poking and making swiping gestures across THAT! Rather than making a difficult to crack password, just make the device so nobody actually wants to put their finger on it!

Re:In other news (0)

Anonymous Coward | more than 2 years ago | (#38465828)

Why is this a stupid feature? You can easily have 100 salient points in a photograph. Touching 8 of them in order is the same as typing an 8-character password on an ordinary keyboard, except maybe it's easier to remember.

Or maybe it's harder.

Well of course not... (5, Insightful)

DrEldarion (114072) | more than 2 years ago | (#38465764)

Of course it's not "very good" security. Neither is Android's face unlock. Neither are PINs. Neither are passwords. etc. etc. etc.

The whole point of things like this are that they're better than no security and that people will actually use them. You can have the best security setup in the world, but if users never enable it because it's too much of a pain in the ass, then it's worthless.

Re:Well of course not... (5, Insightful)

Opportunist (166417) | more than 2 years ago | (#38466062)

I dare to disagree. Bad security can actually be worse than no security. For more than one reason.

First, the obvious one: People rely on security and act as if they're protected even though they are in fact not.

The less obvious one is that a faulty and flawed security mechanism actually offers another attack vector. To use an example from a real security problem, imagine a door without a lock and no handle, opening to the outside. Without handle or lock, the door cannot be opened from the outside, since there is no way for you to pull at it, and pushing it won't do you no good. And a good, solid oak door is quite hard to bash in. Add a lock and you not only offer a point where an attacker can actually put a hook, you also have to weaken the door to apply the lock. If the lock is now flawed and easy to pick, you actually lowered the security of the door by adding a lock.

It's the same with flawed IT security mechanisms.

Re:Well of course not... (5, Insightful)

bherman (531936) | more than 2 years ago | (#38466194)

Taking your analogy a bit further..... While you may have a more secure door without the lock, you also have what is commonly referred to as a wall. Without a way to use the door it is no longer serving it's intended purpose. The most secure computer is one that is not on a network and cannot be physically accessed. Once you actually need to access it you are now weighing the tradeoff between usability and security. The picture password is intended to provide a way for users who wouldn't otherwise protect their device with a low impact way of doing so.

Re:Well of course not... (3, Insightful)

Endo13 (1000782) | more than 2 years ago | (#38466374)

Your door analogy is fundamentally flawed, because the user has to get in some way, otherwise the house (or PC) is useless. The same applies to both. On the house, sure that particular door is difficult to break into because you can't open it from the outside. But somewhere on another wall there's another door that can be opened from the outside, and will have traditional security measures.

That's the whole point of security - to allow authorized entry while making it difficult for unauthorized entry. Your suggestion of making entry impossible is mind-bogglingly stupid in this context.

Re:Well of course not... (0)

Anonymous Coward | more than 2 years ago | (#38466452)

People rely on security and act as if they're protected even though they are in fact not.

As we call it in our shop, "The Apple Effect".

Re:Well of course not... (3, Insightful)

AngryDeuce (2205124) | more than 2 years ago | (#38466066)

Exactly. The weakest point in any security system will always be the user, and unfortunately, the user is the hardest weakness to combat.

Consider forcing password changes at certain intervals: 99% of the time, the new password is the same as the old one with a variation of a single character; e.g., "Flower" becomes "Flower1". Then, next time there's a forced password change, they just set it right the hell back to "Flower", or go up to "Flower2".

Then there's the systems where the password is provided, usually gibberish alphanumeric of a certain character length. Nobody can remember that shit, so what does everyone do? Write it the hell down somewhere, or store it in a text file; usually fucking called "Passwords", because people are retards.

No matter how elaborate your security is, the user will find a way to fuck it up. A door won't be closed, a document won't be shredded, a workstation won't be locked, a security protocol won't be followed, and it's always for the sake of the user's convenience. The more of a pain in the ass it is, the more likely it will be compromised by laziness on the part of the user. That's just how people are; not all of them, but a lot of them.

I mean, stories of people getting hacked or their identities stolen are in the news all the time, and the most common user-created passwords are still ridiculous shit like "1234" and "ABCDEFG". Clearly people would rather accept the risk of a weak password for the sake of convenience. Either that or they really are retarded.

Re:Well of course not... (1)

mabhatter654 (561290) | more than 2 years ago | (#38466488)

You clearly forgot QWERTY and ASDFG!

Re:Well of course not... (1)

Tom (822) | more than 2 years ago | (#38466222)

"good" is a relative measure. A code of 4 numbers can be good security for your garden shed, and passwords are entirely sufficient for most stuff online (really, how much security do your various forum accounts need? What's the threat level?).

Yes, making security hard is the wrong approach, it does make people circumvent it. No, dumbing it down so they use it, but it doesn't really provide any security anymore is the wrong answer, because it generates a false sense of security, and that is much worse then having no security, but knowing that you don't.

comment from the article (0, Flamebait)

Brian Boitano (514508) | more than 2 years ago | (#38465766)

"It's more like a Fisher-Price toy than a serious choice for secure computer access,"

Nuff said.

Re:comment from the article (0)

Anonymous Coward | more than 2 years ago | (#38466054)

Indeed. "Nuff said" is stunning ignorant. Take a look at the Windows 8 blog and the two articles concerning picture security and the maths behind it.

http://blogs.msdn.com/b/b8/

It is surprisingly secure. Even if you approx what the user did it gets hard to get the combination right. Look at the numbers, THEN comment.
People have already demonstrated that on-screen touch keyboards are not secure - you can see the blip of light with each touch.

This is just another login method and it is not as weak or trivial as people think. Don't take my word for it. Put your bias aside (as I did) and read the two blog articles on it.

And of course, the author of this Fisher Price comment is running a company selling three factor security solutions, not single factor logins. He has an agenda. Its good publicity for him.

Re:comment from the article (2)

Hooya (518216) | more than 2 years ago | (#38466536)

The "things" that matter the most to me, my most valuable "things", are protected by a flimsy wooden door with easily breakable hinges and easily pickable locks - my wife and kids. I would think if you apply your logic, then unless your wife and kids were locked up in a vault in, say, fort knox, you would consider it unsecure?

My point being that it's a risk/reward thing. If you have something on your tablet that needs 3 factor authentication, you would have 3 factor authentication. But not everything needs 3 factor authentication. I don't need to lock up my family in fort knox. Just like I don't need what I have on my tablet to be protected by a 3 factor auth.

That's not the main problem (0)

Anonymous Coward | more than 2 years ago | (#38465770)

A camera can also record someone typing in an alphanumerical password as well, so the same argument applies there. No, the main problem with any authentication system that doesn't require you to lift your finger from the screen is that if the owner of the phone is like most people, they'll probably leave a nice greasy streak right from start to finish. Or the other way around, not like it costs much to check...

It also leaves smudges (3, Insightful)

Piata (927858) | more than 2 years ago | (#38465776)

I could unlock my friend's Android phone just by studying the smudge patterns on the touchscreen. I imagine this would be just as easy.

Re:It also leaves smudges (1)

QuasiSteve (2042606) | more than 2 years ago | (#38465922)

I've always wondered why Android's grid unlock function didn't allow a 'cell' to be hit more than once. ThrottleLock - a lock screen 'app' for Windows Mobile - does allow this.

In addition, you would fail miserably with my pattern, even though it's only three swipes, because although you can't hit a 'cell' more than once, you can certainly swipe over it more than once - but you'd need more than a cursory glance at the light reflecting off of it to figure that one out.

Plus this would only really work well if the user recently unlocked and didn't swipe the screen otherwise. Who does that?

Re:It also leaves smudges (1)

viperidaenz (2515578) | more than 2 years ago | (#38466092)

Not if they used this [socialtimes.com]

Re:It also leaves smudges (0)

Anonymous Coward | more than 2 years ago | (#38466660)

This would be even easier using basic psychology, people are more likely to choose certain parts of an image over others, usually parts that stand out.

Keyboard (1)

Anonymous Coward | more than 2 years ago | (#38465788)

Keyboard keystrokes aren't just as easy to record?

Re:Keyboard (1)

Opportunist (166417) | more than 2 years ago | (#38466036)

Yup. But way harder to guess.

joke (-1)

Anonymous Coward | more than 2 years ago | (#38465842)

windows 8 is a total joke and will flop hard. Microsoft will soon get out of OS making for PCs and will focus only on tablets and cellphones and video games.

Re:joke (1)

Opportunist (166417) | more than 2 years ago | (#38466028)

What makes me worry about Win8 is them pressing hard to merge Win8 with their next console OS. I sincerely hope this will not be pulled through. It's already bad enough that you need a Windows Live account for more and more games you try to play on your PC, but pretty much being forced to have one gets kinda ridiculous.

And I fully expect that to happen. I just got a Windows OS based cellphone at work (not my choice, mind you...). No Zune account, no system update. Think it will be different with Win8?

I seem to recall an old standard . . . (5, Insightful)

mmell (832646) | more than 2 years ago | (#38465844)

"Something you have, something you know and something you are. Pick two out of three."

Hence, RSA tokens + passwords (something you have + something you know)

Smart cards + biometrics (not perfect, but something you have + something you are)

Or even all three, for the truly paraniod (smart card + biometric scan + password)

Even with all three, a sufficiently determined entity with sufficient resources can overcome it. Video recording + physical acquisition of the owned object + physical acquisition of the biometric object (hope it's just a fingerprint scan and not a retinal scan!) will get an intruder past the security trifecta.

What next, DNA + mind scan + a password > 512 bytes?

Re:I seem to recall an old standard . . . (5, Insightful)

Anrego (830717) | more than 2 years ago | (#38465906)

It has to scale to the requirement for security.

My slashdot account doesn't need three factor authentication, however I wish my bank would have at least 2 (seriously, I've yet to find any banks in Canada, let alone my province (Nova Scotia) that offer something beyond a password. The hell!).

Re:I seem to recall an old standard . . . (0)

Anonymous Coward | more than 2 years ago | (#38466154)

Your bank may be using two-factor authentication without you realizing it. For example, my credit union also appears to just require a password (something you know). However, if you type the password with an unusual rhythm (something you are), the login attempt is rejected. Knowing the password isn't enough -- you need to type it the same way I type it.

Re:I seem to recall an old standard . . . (1)

Tom (822) | more than 2 years ago | (#38466176)

mobile TANs are a relative of two-factor authentication, as they employ a secondary channel to transmit the TAN. You could say it's something you know (the password or PIN you needed to set up the transaction) and something you have (the phone that gets the SMS with the TAN), but that's a simplification.

Re:I seem to recall an old standard . . . (1)

blahplusplus (757119) | more than 2 years ago | (#38466382)

You can compensate for password only by using randomly generated long passwords and save them with a program like Roboform so you don't have to remember or type them in.

http://www.roboform.com/ [roboform.com]

Re:I seem to recall an old standard . . . (0)

Anonymous Coward | more than 2 years ago | (#38466462)

My bank requires a pin and a password, but they are entered on the same screen, so not really layered security. I wish banks would give people the option of having higher security, so the dolts can continue to get ripped off and the rest can at least have a chance.

Re:I seem to recall an old standard . . . (0)

Anonymous Coward | more than 2 years ago | (#38466494)

RBC uses two authentication levels and are talking about implementing a third. They're in Nova Scotia.

Re:I seem to recall an old standard . . . (1)

Anrego (830717) | more than 2 years ago | (#38466502)

Last I checked that was only available to corporate customers .. unless they've started rolling it out for everyone (which would be awesome) not much good to me.

Re:I seem to recall an old standard . . . (1)

Opportunist (166417) | more than 2 years ago | (#38465996)

Every time I read something like this, Monkey Island and the escape from the cannibals comes to mind. People secure their door with ever increasingly complicated locks and ignore the fact that the burglar might just come through the wall.

Seriously, I've had more audits where it was easier to just ignore the login procedure and punch a hole into the "wall".

Re:I seem to recall an old standard . . . (1)

DMUTPeregrine (612791) | more than 2 years ago | (#38466040)

Biometrics are just another "something you have." George has a finger that unlocks his computer with . Sam has a knife. Now Sam has a finger that unlocks the computer formerly owned by George. The advantages of biometrics are that they are more difficult to lose and tend to be a bit harder to get away with stealing. The disadvantage is that they generally can't be changed and tend to have far worse implications if they are stolen. Biometrics are a good replacement for a username, not for a password.

Re:I seem to recall an old standard . . . (1)

PNutts (199112) | more than 2 years ago | (#38466108)

"Oprah, Barbara Walters, your wife. You gotta fuck one, marry one, kill one, go!"
Hence...

Fixed that for 'ya.

Who needs a video camera? (0)

Anonymous Coward | more than 2 years ago | (#38465858)

Just look at the smudge pattern from the oils your fingers leave behind. Then you will see *exactly* where they were dragging their finger around to log in.

I have to wipe my Android phone down every five minutes because I have oily skin.

But what if.... (0)

inode_buddha (576844) | more than 2 years ago | (#38465864)

But what if somebody used goatse for their picture password? Would you touch it? If so, where?

Windows 8 security sucks, but... (5, Funny)

HideyoshiJP (1392619) | more than 2 years ago | (#38465866)

For only $99.95, you can buy our three factor authentication software for one year! That's right, keep criminals from stealing your digital camera pictures of your cat for a nominal fee! I'm willing to bet this picture security is no less secure than typing on a keyboard that's visible on the screen and combining it with the screen smudges. Domains probably won't use this authentication anyway, or at least it'll be optional.

Re:Windows 8 security sucks, but... (0)

Anonymous Coward | more than 2 years ago | (#38466050)

My password is a digital picture of a cat you insensitive clod!

How many memorable ways can one gesture a photo? (5, Funny)

DanLake (543142) | more than 2 years ago | (#38465872)

So QUERTY becomes "Head, Shoulders, Knees and Toes". I'm guessing in many cases that the picture itself would suggest how it was to be interacted with.

Re:How many memorable ways can one gesture a photo (5, Funny)

Anonymous Coward | more than 2 years ago | (#38465964)

How the hell do you typo QWERTY?

Re:How many memorable ways can one gesture a photo (2)

doshell (757915) | more than 2 years ago | (#38466128)

I do not use a QWERTY keyboard, you insensitive clod!

Re:How many memorable ways can one gesture a photo (1)

dokebi (624663) | more than 2 years ago | (#38466210)

Because I get aoeu when I type ASDF.

Re:How many memorable ways can one gesture a photo (3, Interesting)

DanLake (543142) | more than 2 years ago | (#38466484)

How the hell do you typo QWERTY?

Good question and thank you kind AC for pointing it out. I guess it happened because my fingers don't willingly type misspelled words and I type 'query' about a million times more often than I type qwerty.

Re:How many memorable ways can one gesture a photo (1)

Daimanta (1140543) | more than 2 years ago | (#38466506)

How the hell do you typo QWERTY?

ASDFG

Re:How many memorable ways can one gesture a photo (2)

mabhatter654 (561290) | more than 2 years ago | (#38466580)

That could work if you had pictures with multiple objects. Something like cat-ball-car ... But you would need some crowd sourcing to generate the data. Or use something like Settlers of Cattan pieces, or Magic the Gathering cards. Click 3 roads or 5 mana symbols.

Bonus points if you built a modular system.. So people can make their own image packs... Allowing for more "inside jokes".

Only reliable for hackers, not users? (2)

jelwell (2152) | more than 2 years ago | (#38465936)

Has he even tried this? I can't reliably login using the picture password setting, and I'm the one that set up the "password". I'm not convinced a video recording would suffice. I could, just as easily, video record your keyboard from a distance, but that's not going to net you my password very reliably either. Not unless you're a chicken pecker.
Joseph Elwell.

Re:Only reliable for hackers, not users? (1)

Em Adespoton (792954) | more than 2 years ago | (#38466340)

For that matter, you could always take a picture of the serial number on the back of an RSA key and use it to generate the correct number using the data stolen from RSA earlier this year.... combine that with video of the person entering their username and password, and you're set.

Personally, I've found image-based passwords to be more secure than pad-based ones, where there are only 10 "pixels" on the screen. Of course, you have to pick a picture that has at least 10 points someone might touch for it to be as strong.

What really makes that method bad (3, Informative)

Opportunist (166417) | more than 2 years ago | (#38465958)

You remember the passwords of the old days that your users had? That were the names of their loved ones, their birthday or the ever popular "test", "password" and "12345"?

Guess what, they'll get a revival. For the same damn reason: People have no idea about security and they don't give a fuck about it. They prefer easy to remember passwords to secure ones. Just that with picture passwords, unlike standard typed ones, it's kinda hard to implement password security standards.

Why it's more insecure than typed passwords? Well, take your average photo. Now imagine what 4 points a person might be touching in it. Can you spot more than 6 "sensible" spots? People will choose points in the picture that stand out, and there won't be many more than 4-6 points that stand out. Unless some kind of 3-strikes-rule gets implemented (not bloody likely on a private computer, or even corporate computers after helpdesk had to reset the password for the n-th time because people failed to hit the right spot on their picture), it just takes rather few attempts at "connect-the-dots" before you find one that fits.

Re:What really makes that method bad (1)

Anonymous Coward | more than 2 years ago | (#38466310)

I'm guessing you didn't read the article.

It isn't simply "touch the photo in X places". It's basically gestures; an example had a photo with four faces on it, and the "password" was "tap face #1, draw a circle around face #2, then draw a line between faces #3 and #4". Even if you assume those are the only possible gestures, that adds way more permutations than you can reasonably brute-force in the way you described.

Re:What really makes that method bad (1)

qualityassurancedept (2469696) | more than 2 years ago | (#38466518)

I read an article although I can't find it by a simple google search just now that basically said that even though the 4 digit unlock code that gives access to iPhone's should have 10^4 permutations and therefore any given phone should be very hard to unlock, actually people generally only use a few of the possible number combinations and so the unlock code is pretty guessable most of the time. In other words rather than having to guess the unlock from every possible permutation between 0000 and 9999 in fact there is a small table of unlock codes that almost everyone will select from.

It's Worked Before! (1)

morari (1080535) | more than 2 years ago | (#38466052)

Am I the only one that has seen the film adaptation of Johnny Mnemonic? Only government-sponsored dolphins will be able to crack into Windows 8 with this enabled!

Re:It's Worked Before! (0)

Anonymous Coward | more than 2 years ago | (#38466166)

u beat me to it - mod parent up up and away!

The same RSA token that was hacked this year? (2)

PNutts (199112) | more than 2 years ago | (#38466058)

To be fair he *is* an expert in poor security.

Weaker than SAM?! (0)

Anonymous Coward | more than 2 years ago | (#38466060)

Of course, by simply running a utility off of a boot CD, such as Hiren's, you can delete the SAM file which stores Windows passwords. Can be done in just a couple minutes, and it works every time (all right, I have seen it fail - once).

Make the Picture Move (0)

Anonymous Coward | more than 2 years ago | (#38466084)

Have the picture move to different locations on the screen randomly, while also stretching and shrinking. This way no one can discern repeated heavy smudging on the screen, although on a touchscreen device the password smudges might get lost in the normal use gestures.

But having the picture scale to different sizes and move itself about the screen at each individual login should increase security.

Lame - most people click on same things (1)

bussdriver (620565) | more than 2 years ago | (#38466168)

Lame - most people click on same things; years ago somebody did this on a website along with stats on the clicks and you could easily see that people picked the same stuff just like they do with passwords... except passwords are far more flexible than a few x/y coordinates.. sure you could save a ton of them trying to make a simple signature which would help greatly but it wouldn't be any greater than a signature, which is something that doesn't compare to a decent password.

I'm sure we will hear of people having to calibrate their touch screens, wash their hands, configure a new touch screen, or leave wear marks on their login screen. At least with a keyboard you touch it to use it for a lot of purposes besides login and because its a simple array of buttons there is less to go wrong or configure (try configuring something when you can't login.)

Children & dorms (1)

GWBasic (900357) | more than 2 years ago | (#38466160)

I'm sure it'll keep young children out, and keep the prankster in your dorm from loading up your computer with gay porn.

The only real solution (0)

Anonymous Coward | more than 2 years ago | (#38466230)

Keep the device in a time-lock safe, requiring that you and a trusted individual both turn your keys at the same time, and then you both enter your combinations. Awww fuckit. Nuke from orbit.

Microsoft implements something with poor security? (0)

s.petry (762400) | more than 2 years ago | (#38466284)

Do we expect anything else from them? Nothing new to see here, but it is always refreshing to see the M$ Fanboys come out and say "really, it's the bestest thing ever!

Use a keyboard picture (0)

Anonymous Coward | more than 2 years ago | (#38466338)

If youre not confortable with all this, you can place a keyboard photo and "type" a password.

Obscured Passwords (0)

Anonymous Coward | more than 2 years ago | (#38466344)

while we're on the subject, can we all agree that mandatory obscured password fields are a relic of antiquated thinking? Look, I get it...someone might look over my shoulder. But in reality nobody is. My work monitor faces a wall, my home PC's are...well, in my home, my smartphone is barely able to be read at my own arms length...frankly, it's the very unusual scenario where I have even the slightest concern of someone seeing me type a password. And yet at least a dozen times a day (no exaggeration) I'm forced to retype a failed login attempt because my company security policy requires 12 digit alphanumeric mixed case no dictionary word passwords. Would it really be so tragic if I were allowed to watch myself type a password?

Simple solution... (1)

stevenfuzz (2510476) | more than 2 years ago | (#38466372)

Use a picture of a keypad.

Re:Simple solution... (1)

qualityassurancedept (2469696) | more than 2 years ago | (#38466456)

Works fine for the pin numbers on debit cards.

Next year (0)

zammer990 (2225956) | more than 2 years ago | (#38466610)

Next year what will we have? "Think of a word *scanned and recorded*, now think of a picture *scanned and recorded* now give us a skin sample *scanned and recorded* now enter a 755 digit password (note this password can contain any character and your smart phone will give you them all, from wingdings to hieroglyphics)" Then after all that anyone who wants to get your birthday pictures and home porno just has to grab your phone while your using it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?