Recently during the USENIX Security Symposium, researchers from Arizona State University, Delaware State University and GFS Technology Inc. presented "On the Security of Picture Gesture Authentication," a paper (pdf) showing that most unique picture password gestures used in Windows 8 aren't quite so unique. In fact, it may not really matter what picture the Windows 8 account holder uses: the login screen can still be easily bypassed.
"Based on the ﬁndings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system," the paper states. "Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings."
Through online studies, the researchers analyzed picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects. They discovered that one of the most common methods used in this authentication process was with a photo of a person and triple tapping on the face, one of which lands on the eyes. The study also discovered that users would rather upload one of their own photos than use an image provided by Microsoft.
The study determined that there is a relationship between the background images and the user's identity, personality or interests. Images used in the study ranged from celebrity wallpapers to in-game screenshots, but most users chose pictures of people. Around 60 percent of the users surveyed selected areas on the image where "special objects" were located. Even more, eyes were the most frequently used area followed by the nose, hand or finger, jaw and face.
"It is obvious that pictures with personally identiﬁable information may leak personal information," the paper states. "However, it is less obvious that even pictures with no personally identiﬁable information may provide some clues which may reveal the identity or persona of a device owner. Traditional text-based password does not have this concern as long as the password is kept secure."
At the end of the study, the researchers had gathered enough evidence to develop an attack framework capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. The researchers want this framework to serve as a picture password strength meter so that users can better protect their systems. Microsoft could impose a no three-tap rule to help ensure a better tap-based password, but rule-based passwords typically are ineffective for traditional text-based versions, the researchers said.
"The cornerstone of accurate strength measurement is to quantify the strength of a password," the paper states. "With a ranked password dictionary, our framework, as the ﬁrst potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords. More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework."
To read the full paper, check out the pdf document here.