Feeds

back to article Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers

Microsoft's promotion of visual passwords, based on tapping pictures and making gestures instead of conventional text passwords, might be a boon for usability. Yet security experts warn the technology is less secure than even a simple 4-digit PIN. The increased power of brute force attacks, password hash database leaks and the …

COMMENTS

This topic is closed for new posts.

Page:

Extra dimensions!

Is nobody using Time as a factor yet? Delay between gestures, perhaps changing the picture between gestures or after set times. You might use 5 photos of friends and family in random order and point to the oldest person's chin in each. Greatly increase the number of points of interest without making the process more difficult for the user. Indeed, if you get a gesture wrong, the system could deliberately supply the wrong picture next, further muddying the waters.

2
0
Silver badge

Re: Extra dimensions!

Write your signature twice at your normal speed. Note how different the two of them are, not just in appearance but also in time taken. Circumstances can alter our strokes and our timing, meaning unless a timing-based check is forgiving, we have a passing fair chance of missing. That's probably why timing hasn't been used much in current gesture checks like those seen in Android.

4
0

Also

Also... if you're going to use a picture password gesture thing... make sure you wipe your screen after every single use...

9
0
Windows

Re: Also

Yes. The unlock pattern for my phone becomes very obvious if I've eaten crisps.

2
0
Anonymous Coward

Re: Also

Or grease up all the numbers? ;-)

3
0
Joke

Re: Also

should I wipe my screen at least 7 times, from random directions, for extra security. .?

2
0

It's not aimed at high security

The purpose of these locks is to stop your friends from picking up your phone and sending joke messages, or to stop the person who picks up your phone from your desk from making chargeable calls. For those this level of security is fine for the convenience it gives.

As long as people know this...

2
0
Bronze badge

Re: It's not aimed at high security

or a step up for those who don't normally use a password or a pin at all because, according to them, they can't remember it.

You could use a picture of a keyboard - that would give 101 points of interest.....

8
0
DJO
Bronze badge

Composite authentification

Using a picture is borderline dumb as it may contain obvious cues or leave tell-tale smears, short passwords are even worse but the touch screen offers another opportunity: A password that you write across the screen with your forefinger or a stylus, perhaps your signature. Although your signature may be available for many people to see and a "black hat" may see you writing it out, duplicating the actual physical actions required to make a good enough copy is almost impossible, certainly harder than guessing a password.

0
1
Anonymous Coward

What has been said already. Typing in my domain password on the surface pro is a pain in the balls. Fine on my desktop.

I just have the option when I pull the surface out sans keyboard to quickly log in and do some stuff and stick it in my bag when done.

Was anyone ever touting picture passwords as being more secure than a 30 element character password? Thought not.

0
0

This post has been deleted by its author

This post has been deleted by its author

What a load of old correct horse battery staple.

7
2

Downvotes to a clear xkcd.com reference? Some people need to get out more.

2
0
Silver badge

No, more like downvotes to an overly-used cliche. Also, the thing about mobile devices is that it's more difficult to type things in. That's why a focus on gestures and PINs (which can use larger buttons). How many times have you missed on a virtual keyboard?

0
1
Holmes

I use the gesture swipe to lock my android phone, I have used a short gesture, not one of the common ones used to navigate or anything. It can be swiped quickly if anyone tries to watch and after a few swipes to change screens or pull down the notification bar etc. the unlock gesture is oblitirated.

Probably far from perfect and not as secure as a password of more that 6 characters using caps, numbers and symbols, but a hell of a lot easier to use and secure enough to stop casual 'attacks' in most cases.

0
0

If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity.

Ask the NSA how well that worked out for them.

Why is this necessary when facial recognition and other biometrics are becoming so commonplace?

3
1
Bronze badge

@Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."

Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway....

"Why is this necessary when facial recognition and other biometrics are becoming so commonplace?"

Because even a weak picture password is less laughably insecure than every implementation of facial recognition seen so far? Because most devices don't have fingerprint readers yet, despite them being around for years? Take your pick.

1
1
Bronze badge
Childcatcher

The Other Other Side

@Tempest8008: "If Microsoft chooses not to be open about this new security method then they are basically depending on Security through Obscurity."

Um, they are being entirely open about it. How it's actually stored within Windows is irrelevant, by the time someone is in a position to read that data, they're already the other side of the airtight hatchway...

Not so fast! being on a machine or network does not give you automatic rights to all other users' passwords, which is basically what is being implied by this. Sure, this is for touch devices, but with the whole BYOD craze going on, it is conceivable that a person other than the owner might have access to the file system. Add to that the possibility of a malicious app that can access the file system and I would say that where and how this password information is stored becomes very important. Is it stored differently than if a PIN is used? People re-use those, just like they do passwords, so that information might turn out to be valuable.

Security should not be monolithic. It should be layered, creating compartments for different parts of the system. Airtight hatchway, indeed!

0
0
Anonymous Coward

Apple will probably (finally) push proper security forward with fingerprints - shame no-one really managed it before. Most passwords are woefully insecure if used at all.

1
4
Anonymous Coward

" shame no-one really managed it before"

Do all those Dell laptops with fingerprint readers not count?

Or the Alienware mobile (they're too heavy for a lap) computers with facial recognition?

3
0
Silver badge

I had an HP laptop with built in fingerprint scanner some 10 years or so ago. Worked great for logging in to Windows, email, etc.

3
0
Silver badge
Facepalm

stored in the registry

Yes, but if you had access to the unlocked machine, pulling the password out of the registry took 2 seconds.

0
0
Anonymous Coward

Re: stored in the registry

"if you had access to the unlocked machine"

- you wouldn't need the password anyway.

0
2
Bronze badge

"Apple will probably (finally) push proper security forward with fingerprints"

LOL, I think that use of that (at least ten years old) system will be short lived in mobile phone devices. I'm betting it won't be too long before an iPhone theft involves the use of a meat cleaver:

http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

0
0
Bronze badge

Nowhere near as bad as ....

.... Barclays business banking which switched from alphanumeric to numeric only.

4
0

Seems to me there are two types of thief who steal laptops, phones etc.

The first is an opportunist thief, who will steal whatever they can, to sell down the pub for a few quid for their next fix.

The second is the steal-to-order specialist, who is after laptops belonging to government officials, CEO's of multinationals etc.

The first type would be confounded by using password as a password, and the second has absolutely no interest in your photos of your aunty Edna's sixtieth birthday bash at the Dog and Duck.

Basic security is fine for the average person, just enough to stop other average people from accessing their emails, making phone calls etc. If you make the security too complicated, it will just not get used at all.

1
0
Vic
Silver badge

> The first type would be confounded by using password as a password

It's always a mistake to underestimate your opponent...

the opportunistic thief might (or might not) be a monsyllabic knuckle-dragger, but the laptop *will* pass into the hands of someone who knows how to clean it up - because it is much more valuable that way.

If you expect your adversary to spend his time looking for the "any" key, you're going to be outwitted.

Vic.

0
0
Paris Hilton

Choose a picture Dozens of POIs

A tumblr collage from slimnbusty ought to do the trick!

Paris - because she might be among them.

1
0
Silver badge

Re: Choose a picture Dozens of POIs

That page doesn't exist...

0
0
Bronze badge

Re: Choose a picture Dozens of POIs

Yes, a picture with LOTS of points of interest doesn't exist. The WHOLE POINT of a picture is to have a small number of points of interest. Why else would you take the picture in the first place?

As for the obvious attack, my nice tablet has LOTS of finger prints where I play solitaire. They have become pretty obvious when the screen is dark and light reflects off of it. It doesn't take long after a cleaning before it becomes greasy again.

Yes, potato chips (crisps) speed up this "marking" of the glass face.

p.s. If you have a 4 digit pin, the best one is chosen by someone else. That way it isn't easily guessed. I suspect that '8520' is a pretty common self generated one.

0
0
Bronze badge

Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure login.

As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?

0
0
Bronze badge

Agree with the general consensus thus far. The reason why POI passwords etc were first touted was to allow Alzheimic punters to at least have a fighting chance at a secure ish login.

As an aside (and a genuine question) re the Apple finger print thingy, doesn't it involve an element of capacitive touch for it to work? That could be a bit of an issue for anyone with cold / greasy / wet / gloved fingers to use, surely Shirley?

0
0
Bronze badge

A good idea?

I was about to comment about how stupid this is, but then realised I doubt I am the target market for this, and I think we are missing the big picture here, I know a number of people (5 off the top of my head) who do not bother having a password, code, or swipe entry into their phone at all,(no matter what I say) you can literally pick one up and unlock the screen and there you go, Facebook, twitter, email, and a bank app on the screen, now wait, I have been defeated by the bank needing a 4 digit code, hmmmm considering this person doesn’t bother or can’t remember a 4 digit code to open their phone, let me try…. 1234…. Tada!

This kind of nonsense and stupidity might be scoffed at by the majority of us, who understand the need for security, but we would not use this, and I don’t think its being aimed at people “in the know”

I can guarantee that if this was able to be done on the type of phone the people I am talking about all have they will change the picture as often as they change their wall paper as it will be seen as an extension of personalising their phone.

So to me those figures of less than 3% pass rate after 5 attempts, is a lot better than the 100% when they have nothing at all, to and they can make it more secure by giving them 3 instead of 5 attempts

0
0
Angel

most commonly used password?

Just as today we have some very common passwords, things like monkey, passw0rd and babygirl, if passfondles become the norm I'd wager that some common themes will emerge, hearts around a loved ones face, two circles with a tall interconnecting arc, you know the sort of thing.

2
0
Silver badge

Re: most commonly used password?

You mean this was someone's picture password?

1
0
Trollface

Reposition Characters OnScreen

You know the pin keypad that get's displayed? Wouldn't re-arranging the position of the numbers for each unlock defeat the greasy finger attack?

OMG I can almost taste a patent!!! Samsung, Apple, Google you'll all soon be paying me mega-bucks for this little beauty bru-ha-ha-ha.

tiddle-dee-dee-googly-googly-doo --> http://www.google.co.uk/patents/US6549194

DAMN YOU HP!!!!!!!!!

0
0

Re: Reposition Characters OnScreen

I realise this is not related to phones but just to mention that the 'Interactive Investor' share dealing site uses an onscreen pad for a PIN and they jumble up the position of the numbers each time you use it. It does make you wonder why this hasn't been implemented on phones already.

0
0
Silver badge

Re: Reposition Characters OnScreen

Probably because some people rely on muscle memory to recall things like PINs. Some people don't like it when you mess with muscle memory.

0
0
Silver badge

Re: Reposition Characters OnScreen

Some people don't like it when you mess with muscle memory.

Indeed, ask some of the (many) Windows 8 haters if you want proof.

0
0
Bronze badge
Joke

But the NSA will have your pictures!!!

OH NO! the NSA will have copies of your favorite pictures!

0
0
Gold badge

What I'm amused by...

What I'm amused by is, ok, Microsoft has a blog post on making a secure password where they suggest pictures with many points of interest, and mixing up the gestures and so on (linked towards the bottom of the article.) This is good advice! And yet, on the "Sign in with a picture password" page (the first link off the article), they suggest *few* points of interest (" it's easier to draw on a close-up photo of your favorite pet than to tap the right individual tulip in a garden scene each time"), and simple gesture ( "It's easier to tap one person's nose than to trace a city skyline.".) No link to any kind of article (or that blog post) on making *secure* picture passwords. So, I'm assuming if you see this in action the password will almost always be tapping on someone's nose.

To me, this is just as though they suggested (for text passwords), keep it short (for instance, one letter like "a") and stay away from those tricky mixed caps and punctuation! 8-)

1
0
Anonymous Coward

"Users can choose any picture, and then "annotate" it with three finger movements: tapping a point, drawing a stroke, or sweeping a circle."

Sounds like a terrible idea if someone has a disability. A stroke, Parkinson's and ALS are just a few diseases that would make that nearly impossible to use.

0
2
Zot
Bronze badge

Can you use an animated GIF?

Oh wait, this is getting too complex, let me just type a password in please.

0
0
Bronze badge
FAIL

Wife

The wife has just come out of hospital from a procedure cleaning ganglions off her tendons in her hand.

It'd be interesting to see how she ccould cope with gestures (other than the obvious) for the next fortnight.

These methods all work very well until one loses the function of the limb for any period of time.

0
0
Bronze badge

Re: Wife

with Windows 8, the picture/gesture is an alternative to typing in your password - you can use either when logging in.

0
0

Fine for home devices, not for the enterprise

It's not rocket science. This will be great for personal devices. It should be disabled with prejudice on enterprise devices.

These "the sky is falling" security analysts need to get to grips with the idea of different risk profiles for different users and use-cases. SOME password is better than none at all, and how many people are wandering around with no security at all on their devices?

0
0
Jin

This should be called a picture-assisted gesture password, not a picture password.

Some picture passwords are designed far more wisely. A good example is shown at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

0
0
Bronze badge

A bit of a ridiculous article

Yes, the number of combinations might not be much different from a 6 character alphanumeric password, but the point either way is that that only matters if it can be bruteforced. This is why we all secure our credit cards with a four digit PIN (gasp! only 10000 combinations!) - you only have so many tries before you have to use another method.

Yes, smudges etc can give it away, but it's not high security. It's a pleasant-looking version of Android's gesture unlock.

0
0
Silver badge

Faeces recognition next?

No shit!

0
0

Page:

This topic is closed for new posts.