colinneagle (2544914) writes "We all know text-based passwords are not overly secure, so when Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8, many people chose that option. However, researchers at Arizona State University, Delaware State University and GFS Technology Inc. analyzed picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies, and found that regardless of what image you selected, your unique picture password gestures may not be so unique after all.
The research found that the strength of picture gesture password has a "strong connection" to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 — 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is "capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.""
Link to Original Source