×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows 8's Picture Passwords Weaker Than Users Might Hope

timothy posted about 8 months ago | from the they-look-fine-at-fort-meade dept.

Input Devices 51

colinneagle writes with word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws -- some of them specific to a password system based on gestures, and some analogous to weaknesses in conventional passwords entered by keyboard. "The research found that the strength of picture gesture password has a 'strong connection' to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 — 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is 'capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

51 comments

And that's why (0)

Anonymous Coward | about 8 months ago | (#44769603)

That's why I bought a Saturn.

Re:And that's why (1)

Anonymous Coward | about 8 months ago | (#44770933)

That's why the one finger salute isn't a good picture password any longer since it became the popular reaction after trying to use Win8.

Boop! (3, Funny)

Anonymous Coward | about 8 months ago | (#44769681)

Apparently circling the guy's bald head, and booping the girls on the noses is the 12345 of picture password gestures.

GIGO (-1)

Anonymous Coward | about 8 months ago | (#44769711)

How many used Bill Gates pic and the "gesture" o|o?

I don't think I have yet to hear anyone say anything good about Windows 8.x.

Re:GIGO (1)

chuckinator (2409512) | about 8 months ago | (#44774331)

I don't understand why a bunch of Fisher-Price crap belongs on a computer in the first place unless you've got a 3 year old. I would still keep the access controls locked down to an adult level.

Not good idea to use passwords a monkey can enter (4, Funny)

JoeyRox (2711699) | about 8 months ago | (#44769717)

Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

Re:Not good idea to use passwords a monkey can ent (5, Funny)

Jeremiah Cornelius (137) | about 8 months ago | (#44769781)

Three bananas and I can get my monkey to crack any gesture-based Windows 8 password. And for an additional banana he'll even throw his feces at the screen.

Windows 8?

Who DOESN'T throw their feces at the screen?

Re:Not good idea to use passwords a monkey can ent (4, Funny)

roc97007 (608802) | about 8 months ago | (#44770059)

My boss hates it when we do that.

Re:Not good idea to use passwords a monkey can ent (2)

Jeremiah Cornelius (137) | about 8 months ago | (#44770179)

My boss hates it when we do that.

You STILL workin' for Ballmer!??!

Re: Not good idea to use passwords a monkey can en (2)

jd2112 (1535857) | about 8 months ago | (#44770503)

You misunderstand. Ballmer is the monkey.

Re: Not good idea to use passwords a monkey can en (0)

Anonymous Coward | about 8 months ago | (#44770849)

No monkey would manage to cause that much damage to Microsoft. Ballmer is rms.

Re: Not good idea to use passwords a monkey can en (0)

Anonymous Coward | about 8 months ago | (#44774349)

If Ballmer were RMS, Windows would be GPLed.

Re:Not good idea to use passwords a monkey can ent (0)

Anonymous Coward | about 8 months ago | (#44772659)

In soviet russia, windows 8 throws feces at you.

Re:Not good idea to use passwords a monkey can ent (0)

Anonymous Coward | about 8 months ago | (#44771589)

Most people don't even set a password on their iphone, ipod, etc......slide to unlock.

Another nonstory.

Re:Not good idea to use passwords a monkey can ent (1)

JasterBobaMereel (1102861) | about 8 months ago | (#44772715)

Obligatory xkcd "https://xkcd.com/936/"

Re:Not good idea to use passwords a monkey can ent (0)

Anonymous Coward | about 8 months ago | (#44774435)

OK, what was the password?

Ah, yes, I remember: Horse Battery Staple Correct.

Oh no, that wasn't right. Wait, I think the Horse was close to Correct. So: Battery Staple Correct Horse.

No, that wasn't right either. But the horse was correct about the battery staple ... ah: Horse Correct Battery Staple.

Oh no, I've used up my three tries.

Re:Not good idea to use passwords a monkey can ent (0)

Anonymous Coward | about 8 months ago | (#44772917)

Obligatory youtube szhs8BjgYH8 [youtube.com] .

It was never intended to be super strong (4, Informative)

Barlo_Mung_42 (411228) | about 8 months ago | (#44769795)

There is also an option to log in with a pin like on a phone. Both are meant there for convenience, not to be a strong lock. In order to take advantage of either an attacker would need physical access.

Re:It was never intended to be super strong (5, Insightful)

HideyoshiJP (1392619) | about 8 months ago | (#44769923)

Exactly this. Passwords like picture and PIN passwords are meant to keep your kids from installing software and/or getting to your porn collection/browser history. These types of passwords aren't exactly meant to keep you safe from more nefarious individuals.

Re:It was never intended to be super strong (0)

Anonymous Coward | about 8 months ago | (#44770159)

Same goes for BIOS passwords.

Re:It was never intended to be super strong (1)

Xicor (2738029) | about 8 months ago | (#44770987)

the objective of a bios password is to keep someone from accessing the bios. if you want to keep someone off your computer, you encrypt your hard drive

Re:It was never intended to be super strong (1)

Demonantis (1340557) | about 8 months ago | (#44771681)

Bios passwords reset if you short out pins on the mobo. That is what he was trying to say. Physical access means your are screwed even if you encrypt since a keylogger could be installed. Or near by access where they can pull the key strokes from the air. [theregister.co.uk]

Re:It was never intended to be super strong (1)

jones_supa (887896) | about 8 months ago | (#44772533)

BIOS password would still improve security. It would take more time for the attacker to open the case, find the location of the reset pins and then reset the CMOS settings and close the case. If the attacker is only after the low-hanging fruit, he might not bother to even do open the machine and go away. Or maybe the attacker does not even know that you could reset the p/w by shorting out a couple of pins.

So, even if some security feature isn't perfect, it might add some extra obstacles to the attacker, which is a still good thing.

Re:It was never intended to be super strong (1)

Xicor (2738029) | about 8 months ago | (#44774299)

if you REALLY want to protect something, nest encrypted drives inside other encrypted drives.

Re:It was never intended to be super strong (1)

f3rret (1776822) | about 8 months ago | (#44774723)

BIOS password would still improve security. It would take more time for the attacker to open the case, find the location of the reset pins and then reset the CMOS settings and close the case. If the attacker is only after the low-hanging fruit, he might not bother to even do open the machine and go away. Or maybe the attacker does not even know that you could reset the p/w by shorting out a couple of pins.

So, even if some security feature isn't perfect, it might add some extra obstacles to the attacker, which is a still good thing.

You don't really need to find the CMOS reset jumper, just yank the battery from the mobo and the thing will reset as well. Sure, the computer will throw up a warning next time you boot it, but many computers will do that too if you reset the BIOS via the switch.

Re:It was never intended to be super strong (0)

Anonymous Coward | about 8 months ago | (#44772099)

Yes, but you could disable DHCP in your LAN to make it a fortress!

Re:It was never intended to be super strong (1)

jones_supa (887896) | about 8 months ago | (#44772559)

Pah, amateurs! At least enable NAT, which is a synonym to "ultimate firewall". To remove the last doubt of security, hide your WiFi SSID, which means your network is completely cloaked like a stealth fighter.

Re:It was never intended to be super strong (0)

lxs (131946) | about 8 months ago | (#44770003)

In the future please write that as PIN.
I spent five minutes wondering how you log in by sticking a pin in a phone and why that would be the secure option.

Re:It was never intended to be super strong (1, Insightful)

Anonymous Coward | about 8 months ago | (#44770139)

Five minutes huh? Are you retarded?

Re:It was never intended to be super strong (1)

cheater512 (783349) | about 8 months ago | (#44770549)

It is a important distinction to make.

Some security researchers awhile ago did break in to a secure door lock with just a pin (not PIN) poked through a LED.
Do it properly and you short two contacts which unlock the door without the correct PIN.

Re:It was never intended to be super strong (1)

Anonymous Coward | about 8 months ago | (#44770023)

Also, you only get 3 chances before you need to use the real password.

Why did this tech ever make it out of the lab (0)

Anonymous Coward | about 8 months ago | (#44769851)

I can see how it might be interesting to study at University level. Heck it might even be a long project depending on what was available at the time to implement it. But how on earth does this crap make it into a commercial OS, let alone a leading one? It's clear that for the last few years we've had marketing and very flawed engineering teams running the show when this sort of thing actually becomes a feature.

Re:Why did this tech ever make it out of the lab (1)

RaceProUK (1137575) | about 8 months ago | (#44773375)

Not everyone requires enterprise-grade security. Sometimes all you need is enough to deter people, and these 'picture passwords' fit that requirement nicely.

Yawn (0, Troll)

Anonymous Coward | about 8 months ago | (#44769909)

I'm not sure who hopes and expects less from whom. The users from MS, or MS from it's users. In any case, it's just business and bs as usual out of redmond.

another poor article (1)

Anonymous Coward | about 8 months ago | (#44770171)

The technology is not weaker at all. It simply suffers the same problem as all user generated input, users pick simple passwords, simple passwords can be hacked. Those that think a bit and create a complex picture password actually have a significantly more secure local authentication system.

Fwuqck a fagorz (-1)

Anonymous Coward | about 8 months ago | (#44770361)

bu7 I'd rather heaBr

psychology too (2)

holophrastic (221104) | about 8 months ago | (#44770385)

Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."

Uhuh.

Re:psychology too (1)

Em Adespoton (792954) | about 8 months ago | (#44770427)

Yes, and general psychology can also predict what a person would choose on a given image -- i.e. what they consider foreground.

Good news, we have a dumb solution to the problem. "Your gesture must include at least one background element, one foreground element, and one circle."

Uhuh.

I like picture passwords... they let me provide a distraction while I write "12345" on the trackpad, irrespective of the image displayed. Of course, the benefit of this would be gone if everyone started doing it; but the security is roughly similar to entering a password with a keyboard (as long as you pick a strong one).

Re:psychology too (1)

LordLimecat (1103839) | about 8 months ago | (#44771941)

but the security is roughly similar to entering a password with a keyboard

Not really, but its good to see security theatre is alive and well.

Well (2)

Lirodon (2847623) | about 8 months ago | (#44770595)

As a joke while testing one of the betas, I tried to see if I could beat my friend's picture password. Somehow I got it on the first try.

multiple-picture sequence security (1)

dbIII (701233) | about 8 months ago | (#44772239)

Are Microsoft future proofing against a collapse of the US education system or something?

Re:multiple-picture sequence security (0)

Anonymous Coward | about 8 months ago | (#44772523)

Are Microsoft future proofing against a collapse of the US education system or something?

No. They are adapting to their current user base. The education system collapsed long ago.

Swipe passwords are weak (2)

LoRdTAW (99712) | about 8 months ago | (#44773471)

When I received my first Android phone some years back I used the screen lock which uses the 3x3 pattern of circles or dots and a swipe pattern. It didn't take long for me to realize that when you swipe the screen you leave behind a big smudged trail of finger grease across the screen. If you hold the phone sideways in the light or use a bright flashlight, the smudged grease trail completely gives your swipe password away including the beginning and end. The start of the trail is a big blotch while the tail end is faded as you lift your finger. Now this trail can be wiped off purposefully by the user or accidentally by means of placing it in a pocket/purse where the users body movement jostles the phone around polishing the screen clean. But if you leave your phone out or store it in such a way that the screen does not get cleaned by clothing or purse then you're in trouble.

I have unlocked a few of my friends phones using my little LED flashlight I carry as a party trick and they were stunned. Most of them had very simple patterns requiring little effort. Even my swipe password is weak but using all nine dots in an obscure manner is difficult or clumsy.

I would imagine the Windows 8 picture touch password suffers the same problem as you can look at the screen and see where it was touched and guess the pattern.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...