Monday, December 19, 2011

Windows 8 Picture Passwords: Smudging Your Finger for Security

Who needs long, archaic passwords full of letters, numbers, and characters when you can just circle a picture of your cat's head to log into your operating system?

Sound silly? Well, it's a new feature Microsoft is building into Windows 8 to supplement the ordinary text passwords that we've all been using on our desktops for countless numbers of years. And whether you're smearing your finger across the touchscreen of your desktop PC or drawing circles with your trusty mouse cursor, the picture password promises increased speed and security compared to a string of text characters.

"The experience of signing in to your PC with touch has traditionally been a cumbersome one," writes Microsoft's Steven Sinofsky, president of the company's Windows and Windows Live division. "In a world with increasingly strict password requirements—with numbers, symbols, and capitalization—it can take upwards of 30 seconds to enter a long, complex password on a touch keyboard."

Picture passwords change the game – and the time it takes to log in – on two fronts. First off, you're the one responsible for selecting the picture and up to three different gesture combinations that you use to interact with it. That offers additional avenues for security that conventional PIN numbers and plain text passwords just don't have. For example, it would be relatively easy for a person to test the waters of your desktop's plain-text password security if they had access to your personal information or a list of passwords you've used elsewhere: A number of computer users often use passwords with some kind of personal significance or, worse, repeat the same password across a number of different entities.

A picture, on the other hand, comes with a significance that only you understand. Whether you're tapping on all the faces of relatives whose names start with "G," drawing a line through cats you once owned, or circling the spot where you proposed to a significant other, the subtext of your touch-based password can't be easily determined even if a user can correctly identify everyone in the shot.

Better still, touch passwords are just as statistically secure as conventional, typed-in passwords.
"The use of three gestures provides a significant number of unique gesture combinations and a similar security promise to a password of 5 or 6 randomly chosen characters," writes Sinofsky. "Additionally, using three gestures ensures a Picture Password that is easy to remember and quick to use."

Sinofsky runs through the full mathematics behind his security statement on a long post within Microsoft's "Building Windows 8" blog. And he also describes the additional security measures in place for those looking to just draw all over a user's touchscreen in an attempt to gain access to the OS. After five failed attempts on a picture password, Windows 8 requires a user to use a text password for entry – picture passwords are designed as a supplement to the conventional password system, not a replacement, Sinofsky writes.

So while you might be able to draw circles on an image of your favorite cats to log into your desktop, don't forget your master text password – the 32-character combination of their names and birthdays – just yet.


Post a Comment


Twitter Delicious Facebook Digg Stumbleupon Favorites More