Skip to main content

How You Can Log Into Windows 8 by Touching Pictures

With new login methods such as Face Unlock or the pattern from Android, typing in a password seems so last-decade. Microsoft feels the same way and will be adding a new way to log into Windows 8.

Microsoft's Jeff Johnson, the Director of Development for the User Experience team, followed up on this with a blog post on the B8 blog with some recommendations for best practices for those who plan to use this login method:

  • Pick a photo that has at least 10 points of interest. A point of interest is an area that can serve as a landmark for a gesture – a point that you would touch, places you would connect with a line, an area you would circle.
  • Use a random mixture of gesture types and sequence. While a line is the gesture that has the most permutations, if you always use 3 lines, that actually makes it easier for an attacker, as they can rule out trying sequences with the other gesture types.
  • If you choose to use a tap, a line, and a circle, randomly choose the order of those gestures; this creates 6 times the number of combinations as a predictable order.
  • For circle gestures, randomly choose whether you draw it clockwise or counterclockwise. Also consider making the size of the circle bigger or smaller than the “expected” size.
  • For line gestures, your instinct may be to always draw from left to right, but it is more secure if you randomly choose the direction with which you connect the two points.
  • As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in.
  • Keep your computer in a secure location where unauthorized people do not have physical access to it.  As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
  • Be aware that smudges on the screen could potentially identify your gestures. Clean your screen thoroughly on a regular basis. Although this increases the risk if you clean, sign in, and then do nothing, the buildup of oils from repeated use is generally easier for an attacker to see (plus, who likes using an oily device?). Note that buildup is more of an issue for entering numeric PINs, when the device is frequently turned on and off and you enter the sequence dozens of times a day (oils can build up in those locations). Periodically look at your screen at an oblique angle while on the picture password login screen and see if there appears to be a pattern pointing to your gesture sequence. If so, either clean your screen or add a handful of additional smudges in the picture password area (which effectively increases the POIs discussed below
     

Be sure to hit the full post for an in-depth analysis regarding the different security considerations that Microsoft is currently making with Windows 8.

Marcus Yam
Marcus Yam served as Tom's Hardware News Director during 2008-2014. He entered tech media in the late 90s and fondly remembers the days when an overclocked Celeron 300A and Voodoo2 SLI comprised a gaming rig with the ultimate street cred.
  • keyanf
    So instead of hearing about people being "hacked" because they used the same "password" password for everything, what will we hear?

    I'm guessing porn picture+10 taps of the vagina.
    Reply
  • Target3
    I'm not 'upgrading' to Windows 8. Lol
    Reply
  • elbert
    I think this is a bit odd. I would rather have a recorded face recognition matching while saying a pass phrase. This would work to allow admins direct access to any account depending on which pass phrase they use. All this would require is a simple 20 sec pre recorded clip of you saying the phrase for a match.
    Reply
  • math1337
    How about logging in with a password?
    Reply
  • nforce4max
    Great maybe one of my chickens can be trained to use Win8 lol. Being in the networking and security field this is a huge risk and isn't worth it. Even if it is tablets they still can hold sensitive data that can be stolen and used such as company records or personal info like SSN or credit card #.
    Reply
  • someone please stop those idiots! windows 8 development it's getting out of control!!!
    Reply
  • innovate! find a way for windows to stop crashing, get rid of BSoD once and for all; don't find another 100 ways for us to sign in...morons!!!
    Reply
  • cookoy
    A simple popup virtual keyboard would do.
    Reply
  • synth0
    I think that's a nice feature. The guys who have 'security problems' probably forgot that most people don't use a password login at all on Windows. Even less people have a password on a tablet.
    Reply
  • bvsbutthd101
    I have a great idea. Lets use a device that has a bunch of letters and commands on it and maybe we'll call it a keyboard. Than in the choose password section we can type out the password we want. Perfect solution. I'm a freakin genius!!!!!
    Reply