Taking shots at Windows 8’s new picture password

Blah, blah, blah.

I was reading in a short article on Network World that the father of two-factor authentication, Kenneth Weiss, doesn’t think that Windows 8’s new picture password is any good.

"I think it's cute," says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry.  "I don't think it's serious security."

The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance - making it relatively easy to compromise, he says. Designers of alpha-numeric passwords recognize this danger and have responded to it by having password characters appear as dots on the screen so the password can't be copied down.

Designers of Windows 8's picture login have made a traditional password an alternative, perhaps in acknowledgement of this shortcoming, he says.

Other problems include backing up the touch pattern that is the login. "To put down a description of the sequence is possible, but that's a lot of writing," he says.

All in all, "It's more like a Fisher-Price toy than a serious choice for secure computer access," he says.

If you’re unfamiliar with Windows 8’s new security feature and were too lazy to click the link above, basically what happens is that you are presented with a picture and you swerve your finger over it, pointing to various elements of the picture.  For example, if it is a picture of your family, you might highlight your mom, brother and sister in the same zipping pattern each time.  If it’s a picture of a sporting event, it might be of a puck going through the Toronto Maple Leafs’ goaltender’s legs.  And so forth.

What’s wrong with a picture password?

Well, somebody could be looking over your shoulder and memorize the pattern that you are swiveling, or record it from a distance, says Weiss.  That’s why password designers have dots instead of the actual numeric characters when you type in your password.

This criticism isn’t on the mark.

The fact is that even passwords are prone to memorization.  I was at Home Depot one time and I saw a lady open up the register, and I memorized the numeric sequence.  I sometimes watch people open up a door that is protected by a numeric keypad.

But doesn’t a password protect against that sort of thing?  Of course not.  If we’re worried about someone recording our hand gestures with a picture password, then we should also be worried about someone recording our finger keystrokes.  If I were to see a recording of someone entering in their password, and it had audio, I could probably figure out eventually what their password is.  It’s be blurry and hard to figure out if they are a fast typist, but I bet I could break enough of them to be taken seriously.

I don’t think anyone has solved the password problem.  Not even Weiss himself.  He’s the father of two factor authentication.  That worked so well that he started a company that does three factor authentication.  What’s next?  Four factor?  It’s a contest to see how long you can slow down users and make them annoyed at the piles of security that they have to wade through.

People in glass industries shouldn’t throw stones.

Comments (1)
  1. Picture passwords are a good initiative, but you left the disabled, and most concernedly, the blind, out of the picture.  How are we, exactly, going to swivel our fingers around a picture if we can't see to begin with?  

Comments are closed.

Skip to main content