back to article Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers

Microsoft's promotion of visual passwords, based on tapping pictures and making gestures instead of conventional text passwords, might be a boon for usability. Yet security experts warn the technology is less secure than even a simple 4-digit PIN. The increased power of brute force attacks, password hash database leaks and the …

COMMENTS

This topic is closed for new posts.
  1. Just_this_guy

    Extra dimensions!

    Is nobody using Time as a factor yet? Delay between gestures, perhaps changing the picture between gestures or after set times. You might use 5 photos of friends and family in random order and point to the oldest person's chin in each. Greatly increase the number of points of interest without making the process more difficult for the user. Indeed, if you get a gesture wrong, the system could deliberately supply the wrong picture next, further muddying the waters.

    1. Charles 9

      Re: Extra dimensions!

      Write your signature twice at your normal speed. Note how different the two of them are, not just in appearance but also in time taken. Circumstances can alter our strokes and our timing, meaning unless a timing-based check is forgiving, we have a passing fair chance of missing. That's probably why timing hasn't been used much in current gesture checks like those seen in Android.

  2. Pat 4

    Also

    Also... if you're going to use a picture password gesture thing... make sure you wipe your screen after every single use...

    1. Code Monkey
      Windows

      Re: Also

      Yes. The unlock pattern for my phone becomes very obvious if I've eaten crisps.

    2. Anonymous Coward
      Anonymous Coward

      Re: Also

      Or grease up all the numbers? ;-)

    3. Col. Muckstard
      Joke

      Re: Also

      should I wipe my screen at least 7 times, from random directions, for extra security. .?

  3. jb99

    It's not aimed at high security

    The purpose of these locks is to stop your friends from picking up your phone and sending joke messages, or to stop the person who picks up your phone from your desk from making chargeable calls. For those this level of security is fine for the convenience it gives.

    As long as people know this...

    1. graeme leggett Silver badge

      Re: It's not aimed at high security

      or a step up for those who don't normally use a password or a pin at all because, according to them, they can't remember it.

      You could use a picture of a keyboard - that would give 101 points of interest.....

  4. DJO Silver badge

    Composite authentification

    Using a picture is borderline dumb as it may contain obvious cues or leave tell-tale smears, short passwords are even worse but the touch screen offers another opportunity: A password that you write across the screen with your forefinger or a stylus, perhaps your signature. Although your signature may be available for many people to see and a "black hat" may see you writing it out, duplicating the actual physical actions required to make a good enough copy is almost impossible, certainly harder than guessing a password.

  5. Anonymous Coward
    Anonymous Coward

    What has been said already. Typing in my domain password on the surface pro is a pain in the balls. Fine on my desktop.

    I just have the option when I pull the surface out sans keyboard to quickly log in and do some stuff and stick it in my bag when done.

    Was anyone ever touting picture passwords as being more secure than a 30 element character password? Thought not.

  6. This post has been deleted by its author

    1. This post has been deleted by its author

  7. Robert Ramsay

    What a load of old correct horse battery staple.

    1. Anonymous Coward
      Anonymous Coward

      Downvotes to a clear xkcd.com reference? Some people need to get out more.

      1. Charles 9

        No, more like downvotes to an overly-used cliche. Also, the thing about mobile devices is that it's more difficult to type things in. That's why a focus on gestures and PINs (which can use larger buttons). How many times have you missed on a virtual keyboard?

  8. magickmark
    Holmes

    I use the gesture swipe to lock my android phone, I have used a short gesture, not one of the common ones used to navigate or anything. It can be swiped quickly if anyone tries to watch and after a few swipes to change screens or pull down the notification bar etc. the unlock gesture is oblitirated.

    Probably far from perfect and not as secure as a password of more that 6 characters using caps, numbers and symbols, but a hell of a lot easier to use and secure enough to stop casual 'attacks' in most cases.

  9. Tempest8008

    If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity.

    Ask the NSA how well that worked out for them.

    Why is this necessary when facial recognition and other biometrics are becoming so commonplace?

    1. El Andy

      @Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."

      Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway....

      "Why is this necessary when facial recognition and other biometrics are becoming so commonplace?"

      Because even a weak picture password is less laughably insecure than every implementation of facial recognition seen so far? Because most devices don't have fingerprint readers yet, despite them being around for years? Take your pick.

      1. Robert Helpmann??
        Childcatcher

        The Other Other Side

        @Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."

        Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway...

        Not so fast! being on a machine or network does not give you automatic rights to all other users' passwords, which is basically what is being implied by this. Sure, this is for touch devices, but with the whole BYOD craze going on, it is conceivable that a person other than the owner might have access to the file system. Add to that the possibility of a malicious app that can access the file system and I would say that where and how this password information is stored becomes very important. Is it stored differently than if a PIN is used? People re-use those, just like they do passwords, so that information might turn out to be valuable.

        Security should not be monolithic. It should be layered, creating compartments for different parts of the system. Airtight hatchway, indeed!

  10. Anonymous Coward
    Anonymous Coward

    Apple will probably (finally) push proper security forward with fingerprints - shame no-one really managed it before. Most passwords are woefully insecure if used at all.

    1. Anonymous Coward
      Anonymous Coward

      " shame no-one really managed it before"

      Do all those Dell laptops with fingerprint readers not count?

      Or the Alienware mobile (they're too heavy for a lap) computers with facial recognition?

      1. Anonymous Coward
        Facepalm

        stored in the registry

        Yes, but if you had access to the unlocked machine, pulling the password out of the registry took 2 seconds.

        1. Anonymous Coward
          Anonymous Coward

          Re: stored in the registry

          "if you had access to the unlocked machine"

          - you wouldn't need the password anyway.

    2. Irongut Silver badge

      I had an HP laptop with built in fingerprint scanner some 10 years or so ago. Worked great for logging in to Windows, email, etc.

    3. TheVogon

      "Apple will probably (finally) push proper security forward with fingerprints"

      LOL, I think that use of that (at least ten years old) system will be short lived in mobile phone devices. I'm betting it won't be too long before an iPhone theft involves the use of a meat cleaver:

      http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

  11. Eradicate all BB entrants

    Nowhere near as bad as ....

    .... Barclays business banking which switched from alphanumeric to numeric only.

  12. thesykes

    Seems to me there are two types of thief who steal laptops, phones etc.

    The first is an opportunist thief, who will steal whatever they can, to sell down the pub for a few quid for their next fix.

    The second is the steal-to-order specialist, who is after laptops belonging to government officials, CEO's of multinationals etc.

    The first type would be confounded by using password as a password, and the second has absolutely no interest in your photos of your aunty Edna's sixtieth birthday bash at the Dog and Duck.

    Basic security is fine for the average person, just enough to stop other average people from accessing their emails, making phone calls etc. If you make the security too complicated, it will just not get used at all.

    1. Vic

      > The first type would be confounded by using password as a password

      It's always a mistake to underestimate your opponent...

      the opportunistic thief might (or might not) be a monsyllabic knuckle-dragger, but the laptop *will* pass into the hands of someone who knows how to clean it up - because it is much more valuable that way.

      If you expect your adversary to spend his time looking for the "any" key, you're going to be outwitted.

      Vic.

  13. Jediben
    Paris Hilton

    Choose a picture Dozens of POIs

    A tumblr collage from slimnbusty ought to do the trick!

    Paris - because she might be among them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Choose a picture Dozens of POIs

      That page doesn't exist...

      1. Herby

        Re: Choose a picture Dozens of POIs

        Yes, a picture with LOTS of points of interest doesn't exist. The WHOLE POINT of a picture is to have a small number of points of interest. Why else would you take the picture in the first place?

        As for the obvious attack, my nice tablet has LOTS of finger prints where I play solitaire. They have become pretty obvious when the screen is dark and light reflects off of it. It doesn't take long after a cleaning before it becomes greasy again.

        Yes, potato chips (crisps) speed up this "marking" of the glass face.

        p.s. If you have a 4 digit pin, the best one is chosen by someone else. That way it isn't easily guessed. I suspect that '8520' is a pretty common self generated one.

  14. returnmyjedi

    Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure login.

    As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?

  15. returnmyjedi

    Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure ish login.

    As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?

  16. Maharg

    A good idea?

    I was about to comment about how stupid this is, but then realised I doubt I am the target market for this, and I think we are missing the big picture here, I know a number of people (5 off the top of my head) who do not bother having a password, code, or swipe entry into their phone at all,(no matter what I say) you can literally pick one up and unlock the screen and there you go, Facebook, twitter, email, and a bank app on the screen, now wait, I have been defeated by the bank needing a 4 digit code, hmmmm considering this person doesn’t bother or can’t remember a 4 digit code to open their phone, let me try…. 1234…. Tada!

    This kind of nonsense and stupidity might be scoffed at by the majority of us, who understand the need for security, but we would not use this, and I don’t think its being aimed at people “in the know”

    I can guarantee that if this was able to be done on the type of phone the people I am talking about all have they will change the picture as often as they change their wall paper as it will be seen as an extension of personalising their phone.

    So to me those figures of less than 3% pass rate after 5 attempts, is a lot better than the 100% when they have nothing at all, to and they can make it more secure by giving them 3 instead of 5 attempts

  17. Dave 62
    Angel

    most commonly used password?

    Just as today we have some very common passwords, things like monkey, passw0rd and babygirl, if passfondles become the norm I'd wager that some common themes will emerge, hearts around a loved ones face, two circles with a tall interconnecting arc, you know the sort of thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: most commonly used password?

      You mean this was someone's picture password?

  18. G Watty What?
    Trollface

    Reposition Characters OnScreen

    You know the pin keypad that get's displayed? Wouldn't re-arranging the position of the numbers for each unlock defeat the greasy finger attack?

    OMG I can almost taste a patent!!! Samsung, Apple, Google you'll all soon be paying me mega-bucks for this little beauty bru-ha-ha-ha.

    tiddle-dee-dee-googly-googly-doo --> http://www.google.co.uk/patents/US6549194

    DAMN YOU HP!!!!!!!!!

    1. No longer in IT

      Re: Reposition Characters OnScreen

      I realise this is not related to phones but just to mention that the 'Interactive Investor' share dealing site uses an onscreen pad for a PIN and they jumble up the position of the numbers each time you use it. It does make you wonder why this hasn't been implemented on phones already.

      1. Charles 9

        Re: Reposition Characters OnScreen

        Probably because some people rely on muscle memory to recall things like PINs. Some people don't like it when you mess with muscle memory.

        1. Anonymous Coward
          Anonymous Coward

          Re: Reposition Characters OnScreen

          Some people don't like it when you mess with muscle memory.

          Indeed, ask some of the (many) Windows 8 haters if you want proof.

  19. Hud Dunlap
    Joke

    But the NSA will have your pictures!!!

    OH NO! the NSA will have copies of your favorite pictures!

  20. Henry Wertz 1 Gold badge

    What I'm amused by...

    What I'm amused by is, ok, Microsoft has a blog post on making a secure password where they suggest pictures with many points of interest, and mixing up the gestures and so on (linked towards the bottom of the article.) This is good advice! And yet, on the "Sign in with a picture password" page (the first link off the article), they suggest *few* points of interest (" it's easier to draw on a close-up photo of your favorite pet than to tap the right individual tulip in a garden scene each time"), and simple gesture ( "It's easier to tap one person's nose than to trace a city skyline.".) No link to any kind of article (or that blog post) on making *secure* picture passwords. So, I'm assuming if you see this in action the password will almost always be tapping on someone's nose.

    To me, this is just as though they suggested (for text passwords), keep it short (for instance, one letter like "a") and stay away from those tricky mixed caps and punctuation! 8-)

  21. Anonymous Coward
    Anonymous Coward

    "Users can choose any picture, and then "annotate" it with three finger movements: tapping a point, drawing a stroke, or sweeping a circle."

    Sounds like a terrible idea if someone has a disability. A stroke, Parkinson's and ALS are just a few diseases that would make that nearly impossible to use.

  22. Zot

    Can you use an animated GIF?

    Oh wait, this is getting too complex, let me just type a password in please.

  23. BongoJoe
    FAIL

    Wife

    The wife has just come out of hospital from a procedure cleaning ganglions off her tendons in her hand.

    It'd be interesting to see how she ccould cope with gestures (other than the obvious) for the next fortnight.

    These methods all work very well until one loses the function of the limb for any period of time.

    1. graeme leggett Silver badge

      Re: Wife

      with Windows 8, the picture/gesture is an alternative to typing in your password - you can use either when logging in.

  24. Trixr

    Fine for home devices, not for the enterprise

    It's not rocket science. This will be great for personal devices. It should be disabled with prejudice on enterprise devices.

    These "the sky is falling" security analysts need to get to grips with the idea of different risk profiles for different users and use-cases. SOME password is better than none at all, and how many people are wandering around with no security at all on their devices?

  25. Jin

    This should be called a picture-assisted gesture password, not a picture password.

    Some picture passwords are designed far more wisely. A good example is shown at

    http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

  26. Robert Grant

    A bit of a ridiculous article

    Yes, the number of combinations might not be much different from a 6 character alphanumeric password, but the point either way is that that only matters if it can be bruteforced. This is why we all secure our credit cards with a four digit PIN (gasp! only 10000 combinations!) - you only have so many tries before you have to use another method.

    Yes, smudges etc can give it away, but it's not high security. It's a pleasant-looking version of Android's gesture unlock.

  27. Tom 7

    Faeces recognition next?

    No shit!

  28. Anonymous Coward
    Anonymous Coward

    Don't care how they do it

    But can they shoot the bastard who always sends me mail just after I've locked my phone.

This topic is closed for new posts.

Other stories you might like