Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers Microsoft's promotion of visual passwords, based on tapping pictures and making gestures instead of conventional text passwords, might be a boon for usability. Yet security experts warn the technology is less secure than even a simple 4-digit PIN. The increased power of brute force attacks, password hash database leaks and the …
Is nobody using Time as a factor yet? Delay between gestures, perhaps changing the picture between gestures or after set times. You might use 5 photos of friends and family in random order and point to the oldest person's chin in each. Greatly increase the number of points of interest without making the process more difficult for the user. Indeed, if you get a gesture wrong, the system could deliberately supply the wrong picture next, further muddying the waters.
Write your signature twice at your normal speed. Note how different the two of them are, not just in appearance but also in time taken. Circumstances can alter our strokes and our timing, meaning unless a timing-based check is forgiving, we have a passing fair chance of missing. That's probably why timing hasn't been used much in current gesture checks like those seen in Android.
The purpose of these locks is to stop your friends from picking up your phone and sending joke messages, or to stop the person who picks up your phone from your desk from making chargeable calls. For those this level of security is fine for the convenience it gives.
As long as people know this...
Using a picture is borderline dumb as it may contain obvious cues or leave tell-tale smears, short passwords are even worse but the touch screen offers another opportunity: A password that you write across the screen with your forefinger or a stylus, perhaps your signature. Although your signature may be available for many people to see and a "black hat" may see you writing it out, duplicating the actual physical actions required to make a good enough copy is almost impossible, certainly harder than guessing a password.
What has been said already. Typing in my domain password on the surface pro is a pain in the balls. Fine on my desktop.
I just have the option when I pull the surface out sans keyboard to quickly log in and do some stuff and stick it in my bag when done.
Was anyone ever touting picture passwords as being more secure than a 30 element character password? Thought not.
This post has been deleted by its author
This post has been deleted by its author
I use the gesture swipe to lock my android phone, I have used a short gesture, not one of the common ones used to navigate or anything. It can be swiped quickly if anyone tries to watch and after a few swipes to change screens or pull down the notification bar etc. the unlock gesture is oblitirated.
Probably far from perfect and not as secure as a password of more that 6 characters using caps, numbers and symbols, but a hell of a lot easier to use and secure enough to stop casual 'attacks' in most cases.
@Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."
Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway....
"Why is this necessary when facial recognition and other biometrics are becoming so commonplace?"
Because even a weak picture password is less laughably insecure than every implementation of facial recognition seen so far? Because most devices don't have fingerprint readers yet, despite them being around for years? Take your pick.
@Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."
Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway...
Not so fast! being on a machine or network does not give you automatic rights to all other users' passwords, which is basically what is being implied by this. Sure, this is for touch devices, but with the whole BYOD craze going on, it is conceivable that a person other than the owner might have access to the file system. Add to that the possibility of a malicious app that can access the file system and I would say that where and how this password information is stored becomes very important. Is it stored differently than if a PIN is used? People re-use those, just like they do passwords, so that information might turn out to be valuable.
Security should not be monolithic. It should be layered, creating compartments for different parts of the system. Airtight hatchway, indeed!
"Apple will probably (finally) push proper security forward with fingerprints"
LOL, I think that use of that (at least ten years old) system will be short lived in mobile phone devices. I'm betting it won't be too long before an iPhone theft involves the use of a meat cleaver:
http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Seems to me there are two types of thief who steal laptops, phones etc.
The first is an opportunist thief, who will steal whatever they can, to sell down the pub for a few quid for their next fix.
The second is the steal-to-order specialist, who is after laptops belonging to government officials, CEO's of multinationals etc.
The first type would be confounded by using password as a password, and the second has absolutely no interest in your photos of your aunty Edna's sixtieth birthday bash at the Dog and Duck.
Basic security is fine for the average person, just enough to stop other average people from accessing their emails, making phone calls etc. If you make the security too complicated, it will just not get used at all.
> The first type would be confounded by using password as a password
It's always a mistake to underestimate your opponent...
the opportunistic thief might (or might not) be a monsyllabic knuckle-dragger, but the laptop *will* pass into the hands of someone who knows how to clean it up - because it is much more valuable that way.
If you expect your adversary to spend his time looking for the "any" key, you're going to be outwitted.
Vic.
Yes, a picture with LOTS of points of interest doesn't exist. The WHOLE POINT of a picture is to have a small number of points of interest. Why else would you take the picture in the first place?
As for the obvious attack, my nice tablet has LOTS of finger prints where I play solitaire. They have become pretty obvious when the screen is dark and light reflects off of it. It doesn't take long after a cleaning before it becomes greasy again.
Yes, potato chips (crisps) speed up this "marking" of the glass face.
p.s. If you have a 4 digit pin, the best one is chosen by someone else. That way it isn't easily guessed. I suspect that '8520' is a pretty common self generated one.
Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure login.
As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?
Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure ish login.
As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?
I was about to comment about how stupid this is, but then realised I doubt I am the target market for this, and I think we are missing the big picture here, I know a number of people (5 off the top of my head) who do not bother having a password, code, or swipe entry into their phone at all,(no matter what I say) you can literally pick one up and unlock the screen and there you go, Facebook, twitter, email, and a bank app on the screen, now wait, I have been defeated by the bank needing a 4 digit code, hmmmm considering this person doesn’t bother or can’t remember a 4 digit code to open their phone, let me try…. 1234…. Tada!
This kind of nonsense and stupidity might be scoffed at by the majority of us, who understand the need for security, but we would not use this, and I don’t think its being aimed at people “in the know”
I can guarantee that if this was able to be done on the type of phone the people I am talking about all have they will change the picture as often as they change their wall paper as it will be seen as an extension of personalising their phone.
So to me those figures of less than 3% pass rate after 5 attempts, is a lot better than the 100% when they have nothing at all, to and they can make it more secure by giving them 3 instead of 5 attempts
Just as today we have some very common passwords, things like monkey, passw0rd and babygirl, if passfondles become the norm I'd wager that some common themes will emerge, hearts around a loved ones face, two circles with a tall interconnecting arc, you know the sort of thing.
You know the pin keypad that get's displayed? Wouldn't re-arranging the position of the numbers for each unlock defeat the greasy finger attack?
OMG I can almost taste a patent!!! Samsung, Apple, Google you'll all soon be paying me mega-bucks for this little beauty bru-ha-ha-ha.
tiddle-dee-dee-googly-googly-doo --> http://www.google.co.uk/patents/US6549194
DAMN YOU HP!!!!!!!!!
I realise this is not related to phones but just to mention that the 'Interactive Investor' share dealing site uses an onscreen pad for a PIN and they jumble up the position of the numbers each time you use it. It does make you wonder why this hasn't been implemented on phones already.
What I'm amused by is, ok, Microsoft has a blog post on making a secure password where they suggest pictures with many points of interest, and mixing up the gestures and so on (linked towards the bottom of the article.) This is good advice! And yet, on the "Sign in with a picture password" page (the first link off the article), they suggest *few* points of interest (" it's easier to draw on a close-up photo of your favorite pet than to tap the right individual tulip in a garden scene each time"), and simple gesture ( "It's easier to tap one person's nose than to trace a city skyline.".) No link to any kind of article (or that blog post) on making *secure* picture passwords. So, I'm assuming if you see this in action the password will almost always be tapping on someone's nose.
To me, this is just as though they suggested (for text passwords), keep it short (for instance, one letter like "a") and stay away from those tricky mixed caps and punctuation! 8-)
"Users can choose any picture, and then "annotate" it with three finger movements: tapping a point, drawing a stroke, or sweeping a circle."
Sounds like a terrible idea if someone has a disability. A stroke, Parkinson's and ALS are just a few diseases that would make that nearly impossible to use.
The wife has just come out of hospital from a procedure cleaning ganglions off her tendons in her hand.
It'd be interesting to see how she ccould cope with gestures (other than the obvious) for the next fortnight.
These methods all work very well until one loses the function of the limb for any period of time.
It's not rocket science. This will be great for personal devices. It should be disabled with prejudice on enterprise devices.
These "the sky is falling" security analysts need to get to grips with the idea of different risk profiles for different users and use-cases. SOME password is better than none at all, and how many people are wandering around with no security at all on their devices?
Yes, the number of combinations might not be much different from a 6 character alphanumeric password, but the point either way is that that only matters if it can be bruteforced. This is why we all secure our credit cards with a four digit PIN (gasp! only 10000 combinations!) - you only have so many tries before you have to use another method.
Yes, smudges etc can give it away, but it's not high security. It's a pleasant-looking version of Android's gesture unlock.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
