Windows 8: Log On With Taps, Circles, and Lines | PCWorld Business Center. (No longer available online. Original text included below.)
Though it’s common not to have a password on a home computer, and some even skip it on their personal mobile devices, it’s the first, and most important barrier protecting a companies data. Windows 8 will provide a number of ways of securing your password, and Microsoft recently talked more about a feature called “Picture Password” as a new way to authenticate without standard passwords and pins.
Traditionally, authenticating to a device involves typing in a password or PIN. Unfortunately users tend to choose passwords that are easy to remember, or on characters that they relate to. This makes passwords easier to guess by attackers that know something about you. Character based passwords are also vulnerable to keylogging, where malware installed on the device can detect the specific keystrokes and easily reproduce them.
A newer authentication technique involves drawing on a devices touchscreen. Google has a patent pending on its Android pattern based unlock screen, in which you connect dots in a nine-dot grid. A drawback of this method is that it tends to leave smudges on the screen, so that an attacker that has possession of the device could see the pattern.
Picture Password was designed to avoid these issues. The technique starts with you providing one of your own pictures. You can position the picture as you like, and are then prompted to make gestures on the picture that become your authentication signature. There are three gesture types you can use; a tap, a circle, and a line. In a demo video, the demonstrator draws a picture around his father’s head, connects his sister’s noses with a line, and taps on his mother’s nose.
Each gesture you make must be in the correct order, proper position, and have the proper directionality. While a single tap isn’t very secure, offering only 270 acceptable inputs, using eight taps increases the options to over 13 quadrillion. Circles are even more complex, with seven circles providing almost one quintillion options.
The point of Picture Password is not just to increase the complexity of passwords, but to provide a secure login that is faster than a touch keyboard. With as few as three gestures, a Picture Password can still provide over one trillion combinations, compared to 81,120 for character based, and 1,000 for numeric, while still taking an average of less than four seconds to complete.
Pictures Password still use a touchscreen, though Microsoft mentions that it can be utilized with a mouse, so aren’t smudges still a problem? Yes, you’re still likely to leave smudges on your screen when entering a Picture Password. But, even if your screen was perfectly clean and three gestures were clearly visible on it, order and directionality complicate its replication. Those three specific gestures still have over one billion possible combinations.
Useful to Business?
Picture Password is not a replacement for the traditional text-based password, in fact, you’ll need to enter your password before creating a Picture Password or if your Picture Password is input five times incorrectly. It also won’t protect you from someone looking over your shoulder while you login. So is it useful? On mobile touchscreen devices, its combination of a personalized picture a higher level of security should make it a desirable, and possibly mandatory feature. But with most business desktops and laptops not having touchscreens, it’s far less likely to be used in the office, where standard passwords will still rule.