Thinking of swapping your trusty typed log-in passwords for one of Windows 8’s fancy picture passwords? That may be a bad idea, as a new paper published by researchers at Arizona State University and Delaware State University suggests that they may be a bit too easy to crack.
Microsoft’s Picture Gesture Authentication (PGA) system lets you draw three gestures on an image with your finger or stylus on a touch-based machine, or with a mouse on a standard laptop or desktop, which can then be used as a password. Images can be drawn from your personal photos stored in the Windows 8 Picture Library, or from a default set offered up by the OS.
However, the gestures can’t be freely applied, with the OS automatically converting squiggles into either a tap, line or circle. On top of that, researchers using a custom web-based PGA system similar to the Windows one found that users picked out prominent points of interest on the pictures to apply the gestures to, such as a person’s nose, or a standout object in the image.
Quizzing 685 respondents, the project found that just 9.8% said they randomly chose to draw without considering the background image, while 60.3% admitted that they looked for locations where “special objects” were, 22.1% where “special shapes” were, and 8.3% where “colours are different from their surroundings”.
The researchers then applied these findings to create an experimental model and attack framework, generating algorithms based on the user data to crack a series of PGA passwords. Keeping the Windows 8 five log-in attempt limit in mind, the researchers were able to crack 48% of passwords from unseen pictures in the first dataset, and 24% in a second data set.
While not showing the password system to be a total cakewalk to crack, the research certainly shows the PGA to be at the very least no better than a standard alphanumeric code. If you insist on using the PGA system, avoid family photos then, and go for something trippy like a Magic Eye image instead.