Windows 8 picture passwords easy to crack, says new security report

Share

Windows-8-picture-password.jpgThinking of swapping your trusty typed log-in passwords for one of Windows 8’s fancy picture passwords? That may be a bad idea, as a new paper published by researchers at Arizona State University and Delaware State University suggests that they may be a bit too easy to crack.

Microsoft’s Picture Gesture Authentication (PGA) system lets you draw three gestures on an image with your finger or stylus on a touch-based machine, or with a mouse on a standard laptop or desktop, which can then be used as a password. Images can be drawn from your personal photos stored in the Windows 8 Picture Library, or from a default set offered up by the OS.

However, the gestures can’t be freely applied, with the OS automatically converting squiggles into either a tap, line or circle. On top of that, researchers using a custom web-based PGA system similar to the Windows one found that users picked out prominent points of interest on the pictures to apply the gestures to, such as a person’s nose, or a standout object in the image.

Quizzing 685 respondents, the project found that just 9.8% said they randomly chose to draw without considering the background image, while 60.3% admitted that they looked for locations where “special objects” were, 22.1% where “special shapes” were, and 8.3% where “colours are different from their surroundings”.

The researchers then applied these findings to create an experimental model and attack framework, generating algorithms based on the user data to crack a series of PGA passwords. Keeping the Windows 8 five log-in attempt limit in mind, the researchers were able to crack 48% of passwords from unseen pictures in the first dataset, and 24% in a second data set.

While not showing the password system to be a total cakewalk to crack, the research certainly shows the PGA to be at the very least no better than a standard alphanumeric code. If you insist on using the PGA system, avoid family photos then, and go for something trippy like a Magic Eye image instead.

Gerald Lynch

10 comments

    • This isn’t cracking a picture password, it is a tutorial on how to legitimately recover or reset a picture password but also discusses a tool to recover the underlying text password that has nothing to do with picture passwords.
      Recovering passwords in this manner has been possible since the dawn of time and is not a big threat given it cannot be done remotely or without the user knowing about it.
      Anyone serious about security will have their drive encrypted too which would prevent this approach. Further, Windows 8.1 in October extends Bitlocker to all editions of Windows 8 and it is enabled by default on those using Microsoft accounts. There are also ways of disabling access to external drives and devices using secure boot that would mean no one would be able to use the aforementioned tools in any case.

    • This isn't cracking a picture password, it is a tutorial on how to legitimately recover or reset a picture password but also discusses a tool to recover the underlying text password that has nothing to do with picture passwords.Recovering passwords in this manner has been possible since the dawn of time and is not a big threat given it cannot be done remotely or without the user knowing about it.Anyone serious about security will have their drive encrypted too which would prevent this approach. Further, Windows 8.1 in October extends Bitlocker to all editions of Windows 8 and it is enabled by default on those using Microsoft accounts. There are also ways of disabling access to external drives and devices using secure boot that would mean no one would be able to use the aforementioned tools in any case.

  • I’d have to disagree.

    Firstly, one can’t replace a typed password with a picture password as suggested. The picture password complements the classic password which is quite essential for anyone who has tried to enter a secure, complex password on a touchscreen. If one gets the gestures wrong they then still have to enter the password.

    It’s also not easy to break. Even if the picture somehow makes it obvious where the gestures are – not only are there three gestures, they have to be drawn accurately and in the right order. Windows is quite strict about the entry of the gestures – it’s not as simple as it first appears. I know all of this as often I find it hard to even enter my own known picture password!

    As an experiment I have prepared and had various people watch me enter my picture password and then try to log in themselves – and so far no one has managed it.

    I will read the paper with interest, as I am wondering what user data they used, and how this attack model can gain access to the machine in the first place to execute such an attack, given picture passwords are based only on that user account on a given machine, that is – they do not roam. They are also not used over RDP – meaning somehow the attack would have to be done on the local PC which would severely limit its capability.

  • I’d have to disagree.

    Firstly, one can’t replace a typed password with a picture password as suggested. The picture password complements the classic password which is quite essential for anyone who has tried to enter a secure, complex password on a touchscreen. If one gets the gestures wrong they then still have to enter the password.

    It’s also not easy to break. Even if the picture somehow makes it obvious where the gestures are – not only are there three gestures, they have to be drawn accurately and in the right order. Windows is quite strict about the entry of the gestures – it’s not as simple as it first appears. I know all of this as often I find it hard to even enter my own known picture password!

    As an experiment I have prepared and had various people watch me enter my picture password and then try to log in themselves – and so far no one has managed it.

    I will read the paper with interest, as I am wondering what user data they used, and how this attack model can gain access to the machine in the first place to execute such an attack, given picture passwords are based only on that user account on a given machine, that is – they do not roam. They are also not used over RDP – meaning somehow the attack would have to be done on the local PC which would severely limit its capability.

Comments are closed.