Optimizing picture password security

We wanted to talk a bit more about the security of picture passwords in a follow up post based on some of your comments.  Jeff Johnson, the Director of Development for the User Experience team, is particularly interested in the math and security of this feature and authored this post on how to optimize the security of the picture password.  Since this is a new form of logging on and concerns over security (especially with mobile devices) as well as new authentication techniques (fragility of facial recognition for example or the challenges we’ve seen with biometrics) it is no surprise folks took to thinking about potential pitfalls in the approach.  Our goal was to provide a convenient mechanism that was clearly no less secure than text passwords (all that math Jeff provided). Below Jeff talks about why this is a robust solution in general.  Keep in mind in reading this that over the years many “best practices” have been established for typed passwords (policies such as numbers+letters+mixed case, length, inability to recycle passwords, no dictionary words, etc.) as well as important cautions (such as avoiding public internet terminals with potential for overhead cameras or keystroke loggers) — these types of practices all have analogs in the use of picture password as you can imagine.  Jeff outlines some of these and the logic behind the security of the model.  –Steven

A question we’ve been asked several times in one way or another is “I care about keeping my machine secure; what are the best practices for creating the most secure sequence of login gestures?” This leads to an interesting (at least to me, as a math guy) analysis. It involves game theory, but first I’ll distill it down to the following best practices.

  • Pick a photo that has at least 10 points of interest. A point of interest is an area that can serve as a landmark for a gesture – a point that you would touch, places you would connect with a line, an area you would circle.
  • Use a random mixture of gesture types and sequence. While a line is the gesture that has the most permutations, if you always use 3 lines, that actually makes it easier for an attacker, as they can rule out trying sequences with the other gesture types.
  • If you choose to use a tap, a line, and a circle, randomly choose the order of those gestures; this creates 6 times the number of combinations as a predictable order.
  • For circle gestures, randomly choose whether you draw it clockwise or counterclockwise. Also consider making the size of the circle bigger or smaller than the “expected” size.
  • For line gestures, your instinct may be to always draw from left to right, but it is more secure if you randomly choose the direction with which you connect the two points.
  • As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in.
  • Keep your computer in a secure location where unauthorized people do not have physical access to it.  As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
  • Be aware that smudges on the screen could potentially identify your gestures. Clean your screen thoroughly on a regular basis. Although this increases the risk if you clean, sign in, and then do nothing, the buildup of oils from repeated use is generally easier for an attacker to see (plus, who likes using an oily device?). Note that buildup is more of an issue for entering numeric PINs, when the device is frequently turned on and off and you enter the sequence dozens of times a day (oils can build up in those locations). Periodically look at your screen at an oblique angle while on the picture password login screen and see if there appears to be a pattern pointing to your gesture sequence. If so, either clean your screen or add a handful of additional smudges in the picture password area (which effectively increases the POIs discussed below)

If you follow these tips, you will substantially increase the security of your computer.

As several comments suggested, we also considered shrinking the size of the image and displaying it at random positions and slight rotations on the screen to minimize any risk from smudges.  We knew from usability feedback that decreasing the size of the image both increased the difficulty of properly entering the gesture and made the login experience feel less immersive; however, if there were a significant improvement to security, we wanted to consider the costs and benefits.  What we discovered was that while shifting the image could reduce the buildup of smudges in specific spots, there were even more prominent “clouds” of taps, lines and circles that were identical relative to each other.  With this information, an attacker could easily figure out the gestures relative to each other.  With that information, it was a simple exercise to move them around the picture until they appeared to coincide with significant elements of the picture.  There wasn’t a noticeable improvement in security and we were able to measure significant degradations to the fast and fluid user experience.  In reality, using smudges is very difficult.  When we took tablets that had been used for a number of days by folks, there were typically too many smudges to even begin to deduce their gesture set.  Even when we were given their login sequence and knew what to look for we had limited success.  We included this analysis because we feel it is important that whenever any innovative new technology is introduced that potential attack vectors are disclosed and the technical community can reach a general consensus of the degree of a threat and its potential mitigations.  Of course we also have confidence that screen technologies will continue to improve and smudges will someday seem quaint.

The analysis

It is also interesting to compute the odds of an attack succeeding in various scenarios. As discussed in the previous blog post, gestures are based on a 100 x 100 grid, giving even the simplest gesture (the tap) a potential of 10,000 values (given proximity matching, this number is effectively reduced to 270). In reality, the number of points of interest (POI) is much lower than that – there are only so many memorable locations in a given photograph.

Although there are other ways to structure an analysis, for the purposes of this discussion we will assume that there are a small number of POIs, and all gestures involve only those points. We assume that taps are directly on a POI, circles only come in two sizes (say, small around the point, and larger around the point) and two directions (clockwise and counterclockwise), and lines always connect two POIs. Because this isn’t strictly true, the number of permutations is actually even greater.

Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password). With this in mind, it is interesting for a given scenario to frame the relative security in two ways.

First, what are the odds that an attacker with full knowledge of your gesture selection methodology would be able to sign in to your machine before the lockout is triggered (we will refer to this as Odds1). If there are x equally likely gesture sequences, then the odds of guessing it in five tries before lockout are 5 / x .

The second interesting view is assume you were given 100 machines each with a password picked randomly according to the rules of the scenario (we will refer to this as Odds100). What are the odds that an attacker could log in to at least one of those machines? Since these are independent events, the odds of this are:

Base scenario

Let’s assume a horribly insecure scenario: Your “picture” is entirely black with a single white dot in the middle of it. Because there is only one POI, only the tap and circle gesture can be used (there is nowhere to connect a line to). Obviously, if I used only the tap gesture, an attacker would have 100% success as the only valid sequence would be three taps on the white dot. Let’s assume we only use circles and no points. There are 4 possible circles we can randomly choose for each gesture. This gives us a total of 43 = 64 possible gesture sequences. For this scenario, Odds1 is 7.81% and Odds100 is 99.97%. It’s surprising that for a single machine the odds of a successful sign in with my picture password is less than 8% (my intuition would have guessed a higher number), though you can see it is a virtual certainty that with 100 machines, at least one of them would be compromised. While some users might be comfortable with these odds, most security conscious folks and IT admins who manage a population of machines would find this unacceptable.

Let’s now augment the scenario by saying we will randomly choose for each gesture whether it is a tap or a circle. It is tempting to say that this doubles the complexity of each gesture, but it does not. There are 4 possible circles and 1 possible tap, so there are 5 unique gestures giving a total of 125 sequences.

Let’s say that we choose to implement our new “random” methodology as follows: flip a coin to determine if it’s a tap or a circle. If it’s a circle, we’ll randomly decide which of the four possibilities it will be. While this seems nice and random, it is actually less secure than just using only circles. This is because half the time we will pick a gesture for which there is only one possibility (the tap). An attacker would focus their attack on gestures that featured two or three taps and achieve higher success. An ideal attack strategy (there are others with identical odds) would be to test for 3 taps, and then test for two taps followed by each of the four circle types for the 5 attempts before lockout. Instead of the apparent Odds1 of 4% (an improvement over the previous 7.81%), an attacker would actually achieve Odds1 of 25%, more than three times worse than just using circles. Statistics can be tricky!

Fortunately, there is an easy fix to this scenario. For each gesture, we pick a random number between 1 and 5. If it is a 1, we use a tap. Otherwise we use the value to pick one of the 4 circle possibilities. This does yield an Odds1 of 4% (almost twice as good as the first scenario), but the Odds100 is still an abysmal 98.31%.

A slight improvement

Let’s make just a small improvement to our methodology. This scenario involves a picture with only two POIs (it’s really hard to imagine a real photo this simple, so we can pretend it’s a black canvas with two white dots). This allows us to add the line gesture, but there are only two possibilities for it: drawing from the first dot to the second, or from the second to the first.

Learning from the previous example, we will not randomly pick the gesture type and then the gesture. We will sum up all possible gestures and then pick a random number to map with equal probability onto each possible gesture. There are 2 possible taps, 8 possible circles, and 2 possible lines. The total number of gesture sequences is 123=1728. This gives us an Odds1 of .29% and Odds100 of 25.2%. It is somewhat remarkable that so simple of a picture with only 2 POIs would have odds this low for a successful attack. Even if you had 100 machines to attempt to break into, you would only succeed getting into at least one machine 1 out of 4 tries.

Ramping it up

Let’s assume there are now 5 POIs in your picture. I can begin to imagine some very simple pictures where this might be the case. We now have 5 possible taps, 20 possible circles, and 20 possible lines. This gives us 453=91,125 possible sequences. Odds1 is now vanishingly small at 0.0055% and Odds100 is also very low at 0.55%. For many users, these odds are sufficient to protect their data.

To the max

Let’s assume you are very security conscious and choose a picture with 10 POIs. There can be debate as to how many POIs a particular photo contains. However, it doesn’t matter how many POIs are “obvious” as long as you pick 10 points that are identifiable to you to randomly choose gestures with. Actually, if some of the points aren’t obvious (but you can still reliably target them), that is a security plus.

We now have 10 possible taps, 40 possible circles, and 90 possible lines. This is a very robust 1403=2,744,000 sequences. Odds1 is vanishingly small at 0.0002%. In fact, you are more than 50 times more likely to win $10,000 with a $1 ticket in the Washington State Select 4 Lottery than you are to have your machine broken into using a picture with 10 POIs! The Odds100 has dropped to 0.018% and even Odds1000 is only 0.18%.

Social engineering

Social engineering is one of the most significant threats to sign-in security of all types, whether password, PIN, or picture password. Using a randomizer to help construct your sign-in sequence is equally useful for each of these methods.

For the technical enthusiast, it is possible to implement the above schemes with a small amount of programming or the use of Excel. However, it would be useful to have a lower tech way of creating a gesture sequence that a larger audience could employ. Of course, we should not be under any illusions that the number of people who seek out these tools and procedures will be any greater than the number who would voluntarily pick strong text passwords if not required by site admins.

Roll of the dice

As a whimsical exercise, I thought it would be fun to come up with an analog way of generating a random gesture sequence. To do this, I chose to employ a six-sided die (D6 for hard core gamers :-)) to generate a 6-POI gesture sequence. In addition to mapping nicely onto the die, a 6 POI picture has the useful property that the number of possible lines (30) exactly equals the number of taps (6) plus circles (24), so it is easy to bifurcate the gesture type as well.

Repeat the following steps for each of the three gestures:

  1. Roll the die.
    The number indicates which of the six POIs to use for the gesture (for a line it will be the starting POI).
  2. Roll the die again.
    • If the die is even, the gesture will be a line
      Roll the die again.
      If the number matches the first roll to pick the initial POI, reroll until you get a different number.
      This number is the second point for the line.
    • If the die is odd, the gesture will be a tap or circle
      Roll the die again.
      Use the roll value list below to determine the gesture.
      1 – The gesture is a tap
      2 – The gesture is a small clockwise circle
      3 – The gesture is a small counterclockwise circle
      4 – The gesture is a larger clockwise circle
      5 – The gesture is a larger counterclockwise circle
      6 – Reroll

As expected, the complexity provided by 6 POIs is between the numbers for 5 POIs and 10 POIs. Odds1 is 0.0023% and Odds100 is 0.23%.

We hope you enjoy using the new picture password sign-in as much as we have enjoyed creating it!

–Jeff Johnson

Comments (75)

  1. alvatrus says:

    Fluent transition between the picture and the keyboard password is important. When I'm at the airport, I need to be able to type the password when the picture password is shown.

    Also, after a few failed tries, can you time-out the picture password for a few seconds (thereby defeating a brute force attack), while still being able to immediately start typing the password.

  2. Great explanation of the potential of the picture passwords! I really like this new way of signing in, and I plan on definitely using it with a touch-enabled device! I can't wait for the final release of Windows 8!

  3. @alvatrus If you check out the video on the previous post, you will find that at 2:15 there is a button that says "Switch to password," so apparently you are able to switch between both methods of logging in pretty easily.

  4. i-DotNET says:

    Hi Steven,

    Have you considered dropping the Windows branding, at least for tablets?  I was just reading the following article from TechRepublic.com and it says:

    "Microsoft’s Windows Phone 7 is a solid product that suffered from one fatal flaw: The burden and baggage of the Windows brand….One of the reasons people love smartphones and tablets so much is that they aren’t as complicated and confusing as the Windows computers that they’ve been using for years. Other than the small-but-rabid cadre of Windows enthusiasts, most people shudder when they think about having a phone that runs like Windows. The last thing they want is a device that locks up for no apparent reason, gradually gets slower over time, and is constantly getting bogged down by spyware, malware, and crapware."


    Will people want to buy a tablet that has Windows in the name?  Note that the *only* other successful platform Microsoft has is the XBox which is not branded as Windows.  Microsoft should consider doing the same thing for their tablets.

  5. far says:

    picture password is nice…. but why only 3 options to choose a picture password, it would be nice to allow a feature to customize the number of gestures u want for the picture password with a minimum of 3, having something like four or 5 more gestures would be awesome,

  6. anon says:

    I can see it now: Clippy to the rescue. "It looks like you're creating a Picture Password! Would you like help rolling your D6 to make sure it's secure?"

  7. Fredrik says:

    Regarding "smudges on the screen could potentially identify your gestures."

    How about moving the picture around every time? It so much better than relying onthe user to "add a handful of additional smudges in the picture password area".

    I know, it's too easy.

  8. mike says:

    "Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password). With this in mind, it is interesting for a given scenario to frame the relative security in two ways."

    am i reading this wrong, or is defeating a picture password no harder than defeating a text password, since it's trivial to skip the picture password and jump straight to the test password? so you still must absolutely have a strong text password, and a picture password that's technically stronger than it. of course, a picture password has the potential to be easier to remember than a text password at similar strengths. well, maybe, if you're bad at remember text passwords. i think remembering random "phrases" is easier than random gestures.

  9. Michael says:

    I would like to suggest that you randomly slightly turn or shift the image each time you login.  That way, even if someone were to see smudges, they wouldn't even know where the image was positioned when you logged in, so it would not be near as useful to them.  Thanks, and great job so far.

  10. Anonymous says:


    Didn't he explain why that wouldn't work?

  11. i love the picture passwords thing, i just think it support 3D images for computer that have graphics card that support 3D graphics and that have multi-touch touch touch screens.

  12. Anonymous says:

    Hi Michael,

    Smudges would not really be an issue. The individual who would want to break in would still have to figure out the squence which would not be that easy.



  13. NoCurrentName says:

    @Anonymous 19 Dec 2011 1:23 PM

    I think the sequence would be mostly easy to guess. Most people (adapt it for specific countries) think in a Left-To-Right and a Top-To-Bottom way. So if you see two circles and a line between them, I would strongly guess that the left circle was drawed first, then either the second circle or the line, but in most cases the line from left to right. Surely you can create secure passwords which look more pseuro-random, but let's be honest: look at what people are using for the current keyboard-passwords and you know how much the average user thinks about security. Additionally: especially girls will take a photography of themselves with the boyfriend as password image, so the two-faces-image which will very often result in two circles with a line in cultural specific order and will be the password on one of ten devices of girls.

  14. @Mike

    All Windows accounts have a text password as their core authentication mechanism.  Secondary mechanism like picture password, PINs and fingerprint readers are layered on top.  When you enable multiple forms of authentication, your account is only as secure as your least secure method of authentication.

    We spent a lot of time when we designed picture password considering the security implications, not just from a theoretical math perspective, but from how humans actually use the feature.  With picture password we wanted to enable an experience that was not only secure, but fast and fluid.

    Most users of slates and phones today utilize a PIN.  There is an implicit tradeoff being made here between quick access to the device and password complexity.  For example, if your phone required you to enter a 12 letter password that contained at least one upper case letter, a number and a symbol and you had to do this every time you wanted to make a call or check your email, it would be extremely frustrating.

    An interesting consideration for an IT manager who is deciding which methods of authentication are appropriate for their company’s users is how human nature is going to adversely impact the theoretical security.  Rules for what makes a compliant strong password are one manifestation of this.

    One might assume that it would be most secure to disable all forms of authentication except a strong text password.  From a theoretical perspective, this is merit to this approach, if you don’t consider usability.  However, you will still need to choose your definition of “strong” and will have to take into account the ease with which your users will be able to log in.  We have seen a trend for many users when faced with having to frequently log in on a slate (or even phone with PINs) towards picking passwords that are fastest to enter on the soft keyboard.  Needless to say this is not a good security practice.

    However, if picture password is enabled (and the security characteristics are appropriate for your needs), you can utilize a stronger text password and users are more likely to follow best practices as their need to have to actually enter it will be rare.

  15. Stepan says:

    "If there are x equally likely gesture sequences, then the odds of guessing it in five tries before lockout are 5 / x ."

    So, when there are only 2 gesture sequences the odds are 5 / 2 = 2.5, which is 250%?

  16. There seem to be a run of comments where the answer is in the post.  I hope folks take the time to read the posts before commenting.

    Keep in mind that we could be having the same "can you guess" dialog around text passwords.  For example, it is well known that when you say "password must contain a number" people start with 1.  If you do password expiration, then the next one is 2.  If you say no ordering then you can guess 3 or 0 (the other side of hte keyboard).  Just a reminder that we're not claiming to have solved identity–just making the point that this technique has been designed to provide at least the same amount of security as text based passwords with the additional benefit that you can use touch, which what @Jeff Johnson (MSFT) describes in the posts and his comments here.

  17. Stepan says:

    Sorry, this fourmula is for when x is at least 5.

  18. N. Sun says:

    Wow, this is very interesting. Have you guys considered changing the name from "picture password" to something different because this form of logging in isn't really a password?

  19. alan says:

    I am a longtime microsoft shareholder and beliver in your products.  The bloger above who talked about the baggage associated with the windows name in the brand is spot on.  Rehabbing windows as a brand requires microsoft increase marketing 10 fold and opening another 400 stores right away, something I doubt Mr Balmer is willing to do.  A new name is the best way to get away from the windows baggage.  Xbox has a good brand, tag onto that, instead of win8, call it the xPad, no please, please, please call it the xPad instead of windows 8.  Let it be windows 8 on PCs and xPad on tablets.

  20. Manav says:

    @alan – Windows is a very strong brand name. There are some bad memories due to older version of Windows but see how successful Windows 7 is. How much love Windows Phone 7 is getting. In fact, I feel Microsoft's streamlining of Windows brand is the best strategy.

    Windows signifies an experience and having same experience across your devices is amazing. I would recommend 5 top level products from Microsoft:

    Windows PC

    Windows Server

    Windows Phone

    Windows XBOX

    Windows TV

    Windows Music

    Windows Live

    IMHO Microsoft should tie in all these experiences and services together with Windows and under the single sign-on of Windows Live.

    OK may be not Windows XBOX but you get the point. Microsoft needs a consistent brand naming and one that is associated with Metro style innovative experience and Windows 7 and Windows Phone like high quality products.

  21. CSRedRat says:

    For a long time it is time to advance report SCTP everywhere! Considering present active advancement aside IPv6. + the weight полезностей from this is taken by one more good report SPDY. It is impossible to brake development of technologies and it is necessary to push modern reports in weights. It is necessary to convince Microsoft of utility and necessity of the given reports and to incline to their intensive introduction.

  22. win8wall says:

    Would you offer this wallpaper please.


    This was shown after the D9  conference!

    Would be so nice.

  23. Sisyfos says:

    Having read both articles on picture sign-in I am curious about gestures that would have made use of more than one finger. Other than creating an obvious problem for a stylus-type input-devices, what were the sign-in/security experience of such gestures (because I assume they were tried)?

  24. Michael says:

    Great explanation, thanks.

    Would it raise the security if when entering the password, the user would have to pick the correct picture first out of a stack of static pictures that are shown in random order?

  25. If you look at ay tuch screen kiosk, like a ATM machine.. or the Checkout lane kiosk used by the employees. of a store or even self scheckout

    the resistive screen Kiosks all have smoothened of the screen layer at the points which have been touched repeatedly .. to a point where it can be easily identified.

    if the Picture stays PUT on the same location on the screen .. then I am afraid my screen is going to look like that..

    and in few months time my password is going to show UP.. as a smoothened screen surface.

    note these are resistive screen ..

    Also how can i mask a 22 inch screen where no one can look?

    If i have a 22 inch touch screen

  26. Joao M Correia says:

    This is all based on the false assumption that touch screens are ubiquitous and will be everywhere. Just the same wrong assumption made when forcing metro ui.

    There is a very hard-to-explain distancing between microsoft and reality with windows 8. I guess tick-tock cycle is right on the money.

  27. kaustubha says:

    over 2 months passed by the release of pre-beta (windows 8 build 8102) ;But still no larger functions n features improvement in windows by Microsoft

  28. JSM says:

    One thing is not clear to me :  when I fail 5 times,   I must enter the password.  Is this true forever or  can I try again after 30 minutes for example ?  

    In any case the system looks very strong,  even with a very simple picture.

    Jeff Johnson mentions fingerprint readers,  which looks the simplest way to log into a system.  However,  even if you struggle to find an easy and fast way to log in,  this solution does not seem to attract you.  Are there reasons for this (other than pure availability of the readers) ?  Perhaps that it looks good but is not ?

  29. All at Microsoft should read this paper I found. I Couldn't agree any more. (It's very polite, I know I've had a few nasty words, but honestly it is very polite and elegant)


    He basically describes that software shouldn't be designed by committee and implemented by code warriors, but that it should be natural and free flowing, kind of like this message, it should be simple, elegant and above all flexible.

  30. First off, you guys test VERY fast, second off, I'd like to revisit the start menu, I've been thinking about if a little more,a ndI realized why the Macs Launchpad doesn't feel claustrophobic, or rather, why the start menu DOES.

    it's because the tiles are so large, and because the background is completely opague, not to mention only 1 tone, I think if you had the background be white with like %10 opacity, it would blur the desktop thoroughly as to inform the user that they couldn't click on anything on the desktop, and to not make the user feel like they're in a small confined place against their will. It currently feels as if I was locked in a closet somewhere.

    Can I get a response? agree? disagree?

  31. Drop shadows, are they now symmetrical? it annoyed me SO much to have the bottom shadow bigger than the other sies, and I couldn't even fix it in my custom theme because of some rendering bug T_T

    So, I REALLY hope the shadows are symmetrical, it shouldn't look like the light is coming from your ceiling, the user should be the light, thus the shadows should be flat. does any of that make any sense to you?

  32. Bart Verkoeijen says:

    @Jeff Johnson [MSFT] Indeed, I found recently that when I had to request users' password due to client migration process I found all to many Mycompanyname1! passwords. Those are really too easy to guess.

    Picture password definitely adds a personal touch to passwords and I think for enterprise environments it could actually encourage end users to choose a better password.

    For the smudging issue, I would suggest to rotate multiple pictures. It's probably easy to remember gestures for more than one picture because you have a social bond to the choice of gestures.

    The cycling pictures add an extra difficulty for public users who happen to glance at your gesture to unlock the password. If the next password authentication would show a new picture, the gestures of the previous one they remembered would be rendered useless.

    Also, if the images are cycled sufficiently, then the smudges will be random and therefore difficult to estimate.

  33. @Bart Verkoeijen  — I think we're trying to say that there isn't a "smudging issue" any more than there are analagous issues with text based passwords (except for the fact that picture passwords are immune from keystroke logging and other physical intercept techniques).  Personally, I think this is far less than being comparable to other issues.  It is like trying to discern a football team (American) offense by looking at the field after the game–all you see is a lot of torn up grass in the middle of the field.  

  34. Windows says:

    There May Only Be One Slight Error I Can Think Of. The Touching Keys May Have A Small Radius, And Say You Touched 5 Pixels To The Right It Wouldn't Treat It Correct.

  35. AndyCadley says:

    Another interesting article. I think the "smudging" issue is a tad overrated, as anyone with a touch-only device is probably aware you tend to end up with smudges all over the screen for normal use anyway. I know that was the case with my latitude XT and I always logged onto that with the fingerprint reader (and that's still an option for those who'd like it!)

  36. Eric says:

    How do picture passwords and regular passwords work in scenarios when items like an alarm clock would wake up my computer.

    Right now I have to allow my computer circumvent all passwords when it wakes up to allow an alarm clock application to work.

    With a tablet I want certain events and notifications to occur even if my computer is asleep and locked without me having to log in. This would also be very handy for applications like skype and google voice, I wish they could notify me of a call even if my computer is asleep.

    This is not just for my laptop, I wish I had this feature on my desktop too.

  37. Cloud9 says:

    Did they not have this already in Windows Origami?

    I like the idea as all these passwords drive me crazy.

  38. This is very cool, and I'm looking forward to it in Windows 8.  I'm curious how the login data is stored.  Will I have the same picture password experience across multiple PCs leveraging Skydrive? [As a side note, can you make an HTML5 web-based version to use for Microsoft web services?  That would be awesome].

    Is the information stored on the PC as a set of encrypted coordinates?  Or is the full sequence hashed in some way to unlock the PC?  Basically, what is changing about the underlying security mechanism for this Picture Password?

    Awesome job folks – keep up the good work!

  39. Bart Verkoeijen says:

    @Steven Sinofsky – Thanks for the reply, it shows the team takes in the feedback.

    I may have to paraphrase myself to make my earlier point clearer. The core problem with the smudging issue is its trace-ability.

    Since the picture password is a visual pattern based method, the user's awareness of security strength will be on whether the pattern can be replicated easily. Whether smudging is real security issue or not does not matter, it is a fact though, that it does offer the ability to compromise this security method and therefore may cause fear.

    Your point is taken with the example regarding the football team. Using that same example, I want to highlight that should somebody watch the football match and analyse the tactics, this can be used against a team in a next match should they use the same tactics.

    The same counts for the password picture. The method is much slower and more visible than the text and PIN method. Therefore it's much easier to see and remember one's login gesture. I've experienced this first hand with the Android 'dot pattern' login method, which is very easy to remember once you see someone login.

    Therefore, my point was about the trace-ability of the current implementation. My suggestion would be to use multiple pictures and require that after each successful login a different picture will be used for the next attempt to login.

  40. Bart Verkoeijen says:

    By the way, there seems to be an issue with the commenting system on this blog, that when you take a long time to write your comment the session seems to expire. The post won't be accepted, and reloading the page (resubmitting) does not help. Had the same issue on 2 different PC's in different locations.

  41. seo training noida says:

    Thank You

    The given Information on your blog is very useful.

    Visit :-<a href="http://www.ariestechsoft.net">Seo training delhi </a>

  42. @Bart Verkoeijen @Jeff Johnson [MSFT] mentioned in his comment the practical issue that once someone can see you entering any form of authentication, all bets are off.  It is just a matter of focus and skill no matter what form of typing, swiping, or PINing is used.  There really isn't "more visible" there's just visible.  The more you use random elements the less "guessable context" a bad guy might have but still if they can see you then you're in a bad spot.  

  43. fazal ali says:

    Thank you brother to explain all this to people. It is a great help! A big thank you for this post and to your website at all. I just loved.

  44. resim şifresi iyi olmuş . ve neden bu sitede her konu hakkında yorum yazamıyorum?

  45. Ken Loewen says:

    A couple of interesting concepts were raised in other comments – one is to first have to select from a random set of images before entering your gestures. Another would be to have multiple images in your own "library" – each with its own set of gestures. Having the OS randomly select from among that set would reduce the risk from the smudges. This is a similar concept to the scramble pad for number passwords; have you considered that as an option (would also work great on WP7).

  46. chirag says:

    Hi ,

        I am very consciuos about PIN password.How it would provide security ? Also,picture password is good for personal devices.It can't be hidden from other persons sitting with you for desktop,I also expect windows 8 should give warning if any one is setting weak password,so that one may try to have strong password.

  47. chirag says:


            I wish to share some expectation from my side that

    1)Metro Apps:  I  like metro apps  but i wish i have some control over it such as close on my will,

                              mark app 'in use' so system doesn't inadvertently close it beneficial for working on many apps

    2)IE10:          I am searching for 'progress bar' terribly needed especially for slow connections.

    3).net framework 3.5: I ope final rtm version have .net3.5 preinstalled.As it is not possible download mbs for everyone.

    4)I also expect if Ie can set in desktop mode by default when opening saved pages.Make it easy to take out points on worddocument from webpages easily.Also this is more intuitive.

  48. dudeWhatsUP says:

    password + gesture = Windows Pasture(tm)

  49. "There isn't more visible, there's just visible"

    Steven, I take issue with this. When someone's typing in 6 characters worth of asterisks, I can't see well enough to record their password. With picture password, the 3 taps are highlighted on screen (visual feedback) and that's really easy for me to record. If I'm doing a boardroom presentation no-one can guess what I typed, but they can see what I tapped. I think you should disable the visual feedback of picture password.  I didn't see this addressed in the post.

  50. SecurityIsTheSame? says:

    I agree, if it is to be the same level of security you would have to hide the "password" on the screen just as is done with asterisks…

  51. You can change to a text password (or a PIN) any time you want at time of logon (or unlock–remember this is not a replacement for a text password, just an additional mechanism connected to that password just like a PIN is).  All we've done is shown that the number of combinations makes it equally secure to commonly used PINs.  But nothing can be secure from eavesdropping or observation–not strong passwords or anything.  

    Keep in mind any time someone can see you typing there is a risk over the shoulder (obviously not presenting from a podium, but I can't count the number of times I've seen someone start typing their password into a user name field, especially in web demos…)  A much better practice is to blank the screen while setting up and use presentation mode (window key+x on a mobile PC) to avoid screen savers, change your background, turn off notifications, and the like.   And of course, use demo accounts if at all possible.

    Keep in mind many beleive that even knowing the number of asterisks is a security problem and for years have suggested showing a random number of asterisks for every character typed.  But at least picture password is imune from keystroke logging 🙂

  52. Windows7 says:

    It wouldn't take much for someone to steal a picture password through a screen reader/recorder. After all a picture password is nothing more than a bunch of co-ordinates.

  53. Maksim says:

    Hey, why not to stop reserving A and B drive letters for FDD and start giving them to card readers instead? Notebooks, tablets and all modern computers don't have FDD drives. Isn't it a time to remove some lagacy limitations? (Like folders with CON name)

  54. commongenius says:

    @Steven Sinofsky

    "But at least picture password is imune from keystroke logging"

    I have seen you make this comment twice now, but I have seen no justification for why that would be true. Touch is input to the system provided by a hardware device, just like the keyboard. If an attacker can install a key logger, he can install a touch logger just as easily. So how is gesture authentication (the term "picture password", while catchy, is a misnomer, since it doesn't use a password, and the picture is not what is being authenticated) any more immune from logging than a traditional password?

  55. @David A Nelson — assuming an external keyboard, a keystroke logger is easy to install as it just goes between the keyboard and the PC.  A touch panel is integrated and while it might connect via a USB, the signal is specific to a make and model.  And still once you have the signal you have to decode that and use it on that screen on that image on that PC, unlike a password.

    Once you're installing software to log anything, then all bets are off (and why bother stealing the logon password of all things).  However, even then a keystroke logger is completely straight forward and far more useful.

  56. ^^^ How wouldn't someone be able to make an app to log all the picture password signals?

    so your keylogger argument is completely irrelevent.

  57. @BumbleBritches57

    Even if someone logged all of the touchscreen signals used for the picture password, they wouldn't necessarily know how these signals translated into physical gestures. As Steven Sinofsky says, "And once you have the signal you have to decode that and use it on that screen on that image on that PC, unlike a password."

  58. Marcus says:

    How does this work when a password is required in other areas, say a UAC prompt or logging in via RDP?

  59. The point is, if tehy logged those signals being sent to the app, they could input those signals directly into the app, thereby simulating that activity. electronically, it would match identically.

  60. like I said, it's not about translating that information into human readable form, they could input that binary code directly and remotely into the device.

  61. And I'm not a security guy or anything, but Microsoft, you may want to have a public and random key that encrypt ALL passwords, text or otherwise and the key is decrypted as it is received by the hypothetical login.app, so as to make any stream dumped from any password field unusable by any hacker.

  62. joewin says:

    cool. please have (and OEM) a big inch screen on +or- 45 degree angle on a table or something, similar to microsoft surface, but only that itsa +or- 45 degree screen that surports multiple intutes (touch, pen, mouse, keyboard, voice etc) running windows 8 since its touch optimised, for the PC+ era.

  63. @BumbleBritches57

    Just based on what I've heard about Metro and Windows 8, I think it would be very difficult to input the information and unlock the PC remotely. Remember that any attack would have to target that device specifically, which would make using the equivalent of a keylogger much harder on a picture password. The bigger risk with these is that someone will be able to see from someone's motions what their password is, or that it will not be possible to hide a password when it is entered during a presentation. By that point, it's probably just better to use a standard, non-picture password. Picture passwords are optional.

  64. winit says:

    Great explanation of the potential of the picture passwords (or gasture log in). Suggestion: have bing as the backround of the desktop, that will make it easy to us to search and fine content online as if its part of the system rather than open IE (yes IE will open when a link is clicked). the browser will be part of the OS and windows exporer to it make seemless for the user (yes user must be able to distiguish where the application is running from (network, home, skydrive etc)). purposly Blur the line of web apps, desktop apps, why? it will make the over all experience better.

  65. Atul Madhugiri says:

    @Steven Sinofsky I would have to respectfully have to disagree about the picture login being completely secure. Firstly, you place emphasis on how the picture login is immune to keylogging software. First of all, you are comparing apples to oranges. Keylogging software was designed to steal passwords being inputted by keyboard. That is like saying Bikes are secure because they cannot be stolen because they are immune to keylogging software. Also, if you are being keylogged your Windows password isn't a big deal because they already have your banking and personal information. Once there is a new login method it will be quickly become hackable because hackers are constantly looking for new security vulnerabilities. A problem with the picture password is that it allows anyone to become a hacker without any experience.  Hypothetically for me to figure out a friends iPhone password all I have to do is wipe the screen and then ask them to login so I can check the whether. Then I look at the phone at an angle and I have limited the password possibilities to 16. After a little bit of guess and check I have figured out their password. This is still somewhat difficult because they are just tapping the screen. With picture password they are dragging their fingers across the screen and it creates more visible smudges. Especially on glossy screens this will be a big problem. I am not saying that this is a bad idea but it could be easily misused. This might be convenient for consumers although it has the possibility that they lose their financial data. But what would be really dangerous is if business users left their tablets around with smudges revealing the password. This could potentially not only give hackers access to one set of financial data but possibly the financial data of hundreds or even thousands of people. I understand that hackers will always find ways to get past security but this feature allows a person with no computer experience to get peoples private information. Hopefully this feature is implemented securely and in a correct way so it is not misused. Also, it would be nice if you added some measures against fragmentation like in Windows Phone 7. Making sure that glossy screens especially prone to smudging are not allowed for devices running Windows 8. I hope my opinions are heard and taken into consideration.

  66. Atul Madhugiri says:

    @Steven Sinofsky Also why not add a Courier app to Windows 8 that takes advantage of the work that was done on the Courier user interface. Maybe integrate a Courier like experience into OneNote?

  67. jtmky says:

    very interesting, we like the work you doing. Can you please embend bing into the desktop backround, as if bing is the backround that allows online searching, home search or other netwoks when the results appear clicking the links then open IE.

  68. OH HELL NO, DO NOT make that shitty search engine a part of Windows.

  69. @jtmky says:

    You can to this already! You just have to wodnload the bing dynamic RSS theme from the windows themes gallery:


  70. Elior says:

    I think you should invest more, in the animations of Windows 8, because they are very poor and not invested.

    If you will put the animations of Windows phone 7.5 in Windows 8, it will be much better.

  71. Andrey says:

    Very interesting article.

    Let me some off topic.

    Maybe it's very hard mathematics for usually American (in the Russia very popular stereotype what people of USA very stupid (I'm sorry)). Jeff Johnson, where you get your education? When this level of mathematics study in usually american school? In the Russian school children study this level (factorial, formulas, summation operator (sigma)) usually in 12-15 years. Please, someone from U. S., destroy this popular stereotype about Americans in Russia.

    Sorry for my English.

    Thank you very mach.

  72. Nigel says:

    here's a great new community for Windows 8 Tablets: http://win8tabs.com

  73. WindowsUser says:


    Program Compabikity Service is a big failure, both in Vista and Windows 7. When i install Ulead Photoimpact 12 it doesn't say anything at all. But when i install several plugins to it, that is in the installfolder it claim that they are not correctly installed, even if they are… Have to disable it to be able to install the plugins without this nagging.

    If something isn't supported in Vista and Windows 7, like old Java runtime's, why aren't the install blocked ?

  74. WindowsUser says:

    Program Compabikity Service = * compability *

  75. Irfanfare says:

    Windows, I think, is going the right way. Too much security at the point of Login is not as  important as the security within. More security features can be added to drives and specific folders (Encryption, for instance, in all versions of Windows and permitted in folders). Easy usability is more important.