Sign in with
Sign up | Sign in

Windows 8 Picture Passwords Easy to Crack, say Researchers

By - Source: Networkworld | B 12 comments

Researchers have found a way to get past Picture Gesture Authentication.

Recently during the USENIX Security Symposium, researchers from Arizona State University, Delaware State University and GFS Technology Inc. presented "On the Security of Picture Gesture Authentication," a paper (pdf) showing that most unique picture password gestures used in Windows 8 aren't quite so unique. In fact, it may not really matter what picture the Windows 8 account holder uses: the login screen can still be easily bypassed.

"Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system," the paper states. "Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings."

Through online studies, the researchers analyzed picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects. They discovered that one of the most common methods used in this authentication process was with a photo of a person and triple tapping on the face, one of which lands on the eyes. The study also discovered that users would rather upload one of their own photos than use an image provided by Microsoft.

The study determined that there is a relationship between the background images and the user's identity, personality or interests. Images used in the study ranged from celebrity wallpapers to in-game screenshots, but most users chose pictures of people. Around 60 percent of the users surveyed selected areas on the image where "special objects" were located. Even more, eyes were the most frequently used area followed by the nose, hand or finger, jaw and face.

"It is obvious that pictures with personally identifiable information may leak personal information," the paper states. "However, it is less obvious that even pictures with no personally identifiable information may provide some clues which may reveal the identity or persona of a device owner. Traditional text-based password does not have this concern as long as the password is kept secure."

At the end of the study, the researchers had gathered enough evidence to develop an attack framework capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. The researchers want this framework to serve as a picture password strength meter so that users can better protect their systems. Microsoft could impose a no three-tap rule to help ensure a better tap-based password, but rule-based passwords typically are ineffective for traditional text-based versions, the researchers said.

"The cornerstone of accurate strength measurement is to quantify the strength of a password," the paper states. "With a ranked password dictionary, our framework, as the first potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords. More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework."

To read the full paper, check out the pdf document here.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    DRosencraft , October 5, 2013 5:29 PM
    I would say the first obvious step would be to require more than just three points of interest for the gesture entry. I don't know that you really need a research paper to point out that someone who is lazy about their password settings is going to pick the three most noticeable spots on the picture. Having five or six points should help a significant amount.

    Further from that, however, alpha numeric passwords still seem to be the most logical and functional password protection so long as the user is smart about it and not putting in the obvious strings (QWERTY, 12345, Password, etc.).

    But, this is mostly a moot point anyway since I don't know that most criminals are bothering with trying to crack your Windows password. I suspect that this story is meant less about Windows specifically, and more as a general warning to any company looking to use gesture input as an authentication method for any type of account (i.e bank, credit cards).
  • 2 Hide
    althaz , October 5, 2013 9:09 PM
    If a password has only 7-8 digits it's the exact opposite of secure. 12+ characters are a requirement for a secure password (there's a lot more, but 8 or less characters is absolutely worthless as it can be easily brute forced, which isn't realistically feasible for 12 character passwords yet).
  • 4 Hide
    John Bauer , October 5, 2013 9:50 PM
    Still took longer to crack than the iPhone's fingerprint scanner.
  • Display all 12 comments.
  • 7 Hide
    Bloob , October 5, 2013 10:19 PM
    So basically the problem is between the screen and the chair, as always.
  • 2 Hide
    jalek , October 6, 2013 2:41 AM
    The NSA supports this.
  • -3 Hide
    radiovan , October 6, 2013 3:02 AM
    I find it rather silly to first use 800 subjects to study their patterns and then execute ill intent conclusions.

    Firstly, if anyone with ill intention had access to 800 Win 8 machines why in their right mind would they care to crack a password. This is like saying that 60% of 800 bank customers use a pin consisting of "1234", and then go on to conclude that bank X has a poor security system. If a crook knew that there is a 60% chance that a bank debit card has 1234 pin then why would the crooks resort to steeling pin codes with various contraptions.
  • -2 Hide
    Grandmastersexsay , October 6, 2013 5:42 AM
    Log on passwords are relics of a bygone era when multiple people used one computer. Today, one person uses multiple computers. Most work computers are actually company issued laptops that are brought home each day.

    Log on passwords are useless and ineffective. If you are one of the few people today who leave their computer vulnerable to physical attack, you would be better served with a drive encryption based password setup.

    For the other 99% of us I recommend auto login. If your computer gets stolen, the criminal doesn't care about your work projects that you should have backed up anyway or your minecraft saves. Anyone who keeps sensitive information on their computer or information they can't easily replace is doing it wrong, and will probably get screwed over by a virus long before a physical attack on their computer would.
  • 3 Hide
    _Cosmin_ , October 6, 2013 10:55 AM
    Just because anyone can guess your "special objects" on login image of Kate Upton naked... does not mean that login system has a flaw!
  • 0 Hide
    apache_lives , October 6, 2013 3:30 PM
    not as if passwords are secure either - normal Windows passwords can be stripped in under two minutes (XP - 8.1), Windows XP password protection is a joke
  • -1 Hide
    juan83 , October 6, 2013 7:15 PM
    jajajajajaja how much cost this new windows OS?
  • 1 Hide
    husker , October 7, 2013 2:58 PM
    The windows password is not meant to be the final word in security. It is simply a "reasonable" attempt to keep prying eyes out of your stuff. Just like the lock on your front door is a reasonable attempt at keeping burglars out, they can always break a window (ha!) and get in. There are many other options you can pay for to suit your higher security needs.
  • 1 Hide
    Solandri , October 7, 2013 3:34 PM
    Quote:
    I find it rather silly to first use 800 subjects to study their patterns and then execute ill intent conclusions.

    This is one of the counter-intuitive results of the math behind statistics. The accuracy of a sample depends only on the sample size, not the size of the sample relative to the population (for populations substantially larger than the sample).
    http://en.wikipedia.org/wiki/Margin_of_error

    A sample size of 800 gives you a 4.5% margin of error with a 99% confidence interval. That is, you can be 99% sure that the occurrence of a behavior in the general population is within 4.5% of the rate it occurs in the sample of 800. If 60% of the 800 people were choosing these areas of the picture, then you can be 99% sure that 55.5% - 64.5% of the general population is doing the same thing.