22

The final Windows 8 build has been released to manufacturing. One of the new features of Windows 8 is "Picture Password", where the end user logs on to Windows by clicking a specific pattern on the lock screen. (For readers unfamiliar with the feature, this 4 minute video illustrates it.)

  • From a pure security standpoint, what are the pros and cons of a picture password scheme versus traditional password entry?

  • Is there a rough approximation to how picture password 'clicks', 'circles' and 'lines' correspond to password length, i.e. how many bits of entropy do the picture password gestures roughly provide?

  • 4
    The biggest issue with this I can think of is the same as with traditional passwords: user predictability. As with weak passwords, users might have the tendency to use obvious patterns when choosing the three gestures. –  Sep 15 '12 at 07:56

4 Answers4

17

Potential weakness: predictable passwords. I expect the primary weakness is likely to be that users choose a "picture password" that is guessable or predictable. If the user chooses a predictable set of locations/gestures, someone may be able to guess the "picture password".

For Microsoft's evaluation of their own design, you should read this Microsoft blog post on the security of Windows Picture Password. They provide some simple calculations to estimate the strength of a picture password, and to estimate how many bits of entropy they provide. However, I think their security analysis is overly optimistic, because they make several dubious assumptions:

  • First, they assume that all locations in the image are equally likely to be chosen by the user. I think this is unrealistic; for any given photo, I think some locations are more likely to be picked than others, which it will be predictable which locations are more likely to be picked. Someone is probably more likely to choose some unique feature in the picture, not a random location in the middle of a broad expanse of blue sky. For instance, in the video you shared, the user chose to tap on the location of a window in the image.

  • Second, they assume that the location of the user's three gestures are all chosen independently. In practice, I don't think this is realistic; I think there will often be some pattern. For instance, in the video you shared, the user chose to tap on three windows in sequence. If you've guessed that the first tap location is over a window, then it would be natural to guess that maybe the next two are on some other windows, too.

  • Third, they assume that users will use a combination of taps, circles, and lines. (They have three kinds of gestures: tap on a specific location, circle around a particular location with some radius, or drag your finger in a line from one location to another location.) However, tapping is the quickest and easiest and most natural of these gestures. Therefore, I would suspect that many users will just tap on three locations, and not bother with the other gestures. At the same time, tapping has the weakest security, because of the limited number of locations on the picture that someone is likely to select. Therefore, I think some of Microsoft's calculations about security level may be based upon a somewhat optimistic view, and users may not behave the way they are assuming.

As a result, I suspect that the entropy of picture passwords might be significantly lower than the estimates found in those Microsoft blog posts.

Microsoft has a follow-up blog post where they give advice to users on how to choose a hard-to-guess picture password, but I'm not persuaded that the average user will be aware of this or will bother.

That said, Microsoft has deployed one very significant defense against guessing attacks: you only get 5 tries to enter the picture password. After 5 tries, the system locks you out and requires you to enter the textual password. Therefore, someone who gets ahold of your phone will only get 5 tries to guess your picture password -- and if they don't get it right within 5 guesses, they're done. If implemented properly, this seems like a powerful and effective defense against guessing attacks.

Potential weakness: the weakest-link effect. There are now two ways to log into your account: either enter the text password, or enter the picture password. If an attacker can guess either one, he can get access to your account. Therefore, your security is only as good as the weaker of those two passwords. To be secure, both of them need to be well-chosen. This might trip some users up.

Potential weakness: smudge attacks. Suppose someone gets ahold of your phone. Another way they could try to guess your picture password is by looking at the pattern of smudge marks on the screen left by your finger oils.

Past research has looked at smudge marks, in the context of phone lock screens. They found that this attack can be surprisingly effective. If you hold the phone at just the right angle to the light, you can often see the smudge marks clearly. And if they use a digital camera to take a picture at the right angle, the smudge marks become even clearer. Amazingly, they found that the smudge marks remained clearly visible even if the user put the phone in their pocket -- you might expect this would wipe the fingerprints off, but nope, they still remained visible!

The research is described in the following paper:

While I haven't seen any work on this in the context of Windows picture passwords, I would expect that similar methods might help an attacker guess the picture password and significantly reduce the entropy in the password. Fortunately, the attacker only gets 5 guesses, which should help make smudge attacks harder.

For instance, suppose the attacker gets lucky and there are only 3 smudge marks on the screen. Then there are 3! = 321 = 6 possible re-orderings of these. The attacker gets 5 tries to guess the picture password. So, in this scenario, the attacker has a 5/6 chance of guessing the picture password correctly before being locked out. That said, this is almost the best possible case for the attacker, and in practice, the attack will likely be harder to mount, because the attacker will have to guess which of the smudges come from the picture password and which ones come from other use of the touchscreen.

As a lower-tech and more-extreme version of this attack, consider the following photograph of a PIN-entry keypad:

keypad with wear pattern

Can you guess the PIN, based upon the wear pattern on the keys? Yes, very good, I knew you could!

Potential weakness: shoulder surfing. Another possible attack is that, if someone is looking over your shoulder when you log in, they will find it very easy to notice where you are tapping. In fact, it will be hard not to notice the picture password being entered. So, entering your picture password while you are in view of someone else is not safe.

Advantage: convenience. I expect the picture password to be easier for users to use and more convenient. Right now, all of the methods for authenticating on mobile/touchscreen devices are a pain in the butt. Entering a text password on a touchscreen keypad is a horrible experience, which just drives users to choose poor, short passwords -- and that's not good for security. So, I expect picture passwords will be good for users.

Advantage: no worse than the alternatives. Right now, on mobile platforms, the main alternatives are asking the user to enter a 4-digit PIN or asking the user to use an unlock gesture, as is done on Android or the iPhone. However, those have their own security weaknesses as well, and they may be no better than the Windows picture password. Therefore, for mobile platforms, the Windows picture password may represent a pragmatic and reasonable tradeoff between ease of use and security, one that is sufficient for the average user.

Conclusion and takeaways. My personal impression is: it seems like a plausible scheme, one that might be adequate for many or most users. Overall, it feels like a pragmatic choice to me, given the engineering constraints -- I would be hard-pressed to try to come up with something better. However, it is a new scheme, and more research will be needed to better understand how secure it is, in practice. The security of the scheme will depend heavily upon how users use it, and it's probably too early to say whether it will work well for typical users or not.

Related schemes. To read about other schemes for authentication on mobile or touchscreen devices, see Are the iPhone “connect the dots” passwords secure? and Is Android's Password Screen Lock Enough Data Theft Protection?.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    One good point to note: If the malicious user has physical access to your phone/tablet/laptop for long enough a time, no password protection mechanism is going to keep him out. –  Sep 15 '12 at 12:17
  • 1
    Does the picture password login mechanism work for network logins? –  Sep 15 '12 at 12:17
  • Might also be easier to learn from the database behind the scenes, also how are they using it with it being compatible with EFS etc. Are they doing what the fingerprint readers do and storing a traditional user password elsewhere in plaintext? – ewanm89 Sep 15 '12 at 14:28
  • 1
    For your **Advantage: no worse than the alternatives** bit, I partly disagree. It may be true for tablets and other iDevice-type systems, but it is not true for desktops that have a full and easily touch-typeable keyboard available. These sorts of passwords will be *much* easier to casually shoulder-surf in one pass, than a password entered by an experienced typist on a keyboard. – Iszi Sep 17 '12 at 18:08
  • Hey, good point, @Iszi! I've edited it to say that this applies only to mobile platforms. Thank you for pointing that out. – D.W. Sep 17 '12 at 18:52
  • Good answer. I was guessing someone would mention smudge attacks. For shoulder surfing, I think the user doesn't necessarily need to be over your shoulder. If someone is opposite you, depending on the picture, it could be easier to guess than you'd think. It's the same with a pin lock on a phone like the iPhone's one, you necessarily have to see their screen when they're typing it to know what it is – Adam Lynch Sep 19 '12 at 17:45
  • don't necessarily* – Adam Lynch Sep 20 '12 at 10:18
4

@D.W. has posted a great analysis here, so I'll just follow up by expanding on a concern I noted in comments. (Post-intro edit: Looks like I went a bit further than I'd intended. In any case, I hope this is all useful to you. If you want the really short version, jump to the end.)

For the most part a Windows 8 picture password is probably "no worse than the alternatives" as he says, but this needs to be brought into a particular scope and perspective. For smartphones, tablets, and other devices with a touch screen as the only user interface, the alternatives are all fairly poor in just about all the same ways a Windows 8 picture password would be - with one exception, but we may as well not even acknowledge that since the majority of users won't choose it.

For touch-only interfaces, you usually have one or more of the following options:

  • Numeric password
  • Grid-based gesture password
  • Windows 8 picture password
  • Full ASCII password via on-screen keyboard

Let's just put aside the full ASCII password because probably 99+ percent of the population will ignore this option. On-screen keyboards are painful enough for writing when you need them as it is, so most people would rather not even think about using them every time they want to unlock their device. Even if they did, they'll be very much more likely to choose a low-entropy password, consisting of just a handful of lowercase letters, than they would consider a more proper password which is longer and has higher complexity.

Taking that out of the equation, it's a little hard to decide which of the non-Windows 8 proprietary passwords would be weakest. The prime vulnerability in a numeric password, that sets it mostly apart from the others, is due to many users' habits of choosing common elements for their "PINs". If the password isn't "the kind of thing an idiot would have on his luggage", it is often derived from the user's home address, birthday, favorite athlete's jersey number, anniversary, or other things that could be predicted through social engineering.

Quite nearly as vulnerable, if not worse in some respects, would be the grid-based gesture password. This is again because users will tend towards fairly common gestures which are focused more towards ease of use than they are security. Perhaps even worse might be that they would choose a gesture that is an apparent representation of the likely-weak numeric password they would have chosen for the former option. A system that permits a single gesture to unlock it is also fairly weak because smudge observations can easily reveal the apparent start and end points of the gesture, as well as the path that must be followed - instantly narrowing the field of necessary guesses to two at most.

Then, we have the Windows 8 picture password. Since the picture is user-selectable, it's easy to pick one that does not have the convenient option of being correlated to a PIN pad. So, these passwords are much less likely to be based off of the weak numeric passwords we've all come to know and hate. (Or love, if you're on the attacking end.) They also require multiple gestures which means, in comparison to the grid-based gesture password, it's a bit more difficult to reliably guess the sequence in which gestures must be performed. Of course, this relies in part on the user choosing a password that does not present an obvious sequence upon smudge observation.

All of the above, excluding the on-screen keyboard as I've mentioned, are still more or less very vulnerable to two very effective attacks:

  • Smudge observation
  • Shoulder-surfing

As I've said, the vulnerability to smudge observation varies between methods and also does rely in part on the user's password choice. While it is likely the Windows 8 picture password is more resistant to this sort of attack than the single-gesture, grid-based password, it may be nearly on equal grounds with a numeric password of equal length.

All of these systems are pretty much equally vulnerable to shoulder surfing. However, on most touch-screen-only devices, shoulder surfing generally requires a rather obvious and uncomfortable invasion of personal space - something the victim is likely to be aware and conscious of, and can easily take additional measures to prevent where necessary.

However, this is where scoping of the analysis matters. Windows 8, though it may often seem otherwise, is not just for mobile, touch-screen-only platforms. Consequently, the picture password is also not limited to these devices. It may also be used on more traditional desktop devices, with a keyboard and mouse and a much larger screen.

In these scenarios, the Windows 8 picture password and grid-based gesture passwords should not ever be considered. Why? Because they offer no mechanism by which authenticator feedback can be even partially obscured to shoulder-surfers, while the availability of a keyboard makes options which do allow for this to be easily feasible. Then, once you consider that you've got the full set of ASCII characters readily and comfortably available at your fingertips, you should just toss out numeric-only passwords as well.

What's so critical about a physical keyboard? It facilitates touch-typing, and more and more people are getting good at it. And when you can touch-type, you don't need to ever see any parts of your password on-screen like you do with the other systems. Also, when you have touch-typing available, it is much easier and more comfortable to create longer and more complex passwords. A decent touch typist can enter in a reasonably long password quickly enough and with such little finger movement that a casual observer would have a rather hard time accurately capturing it in one pass.

With the gesture-based passwords (grid or picture), your entire password is effectively displayed on your computer screen as you enter it. This is exactly what the little dots and asterisks in most typed-password form fields are meant to prevent. When someone looking at your screen from a moderate distance can see your password there as you enter it, and when the password is something as memorable as simple gestures or patterns (Simon, anyone?), you may as well be sharing it with everyone who sits next to you when you unlock your computer.

TL;DR: While the Windows 8 picture password may actually be the better option (how much better, still being a topic of debate) for mobile devices, stick with the physical keyboard for systems that have one. If you want to do one better, add multi-factor authentication.

Community
  • 1
Iszi
  • 26,997
  • 18
  • 98
  • 163
-1

Bits of Entropy

I found this question while searching for the number of bits of entropy provided by the picture password. Entropy is a fancy word for randomness, and the security of digital protection is usually measured by counting them, meaning how many binary elements must be correctly specified to unlock the protection. For example, if you are allowed to use only 0 and 1 as the characters in your password, its length is also its entropy. For the math nerds out there, the entropy of a password is the log using base 2 of the number of possible passwords. Conveniently, this tells you how many times you have to double the amount of time it takes to make a guess to end up with the amount of time it takes to try all possible passwords (also called "brute-forcing" the password, although you stop when you succeed, so brute forcing takes, on average, half that long).

So How Many is the Picture Password?

DW says "you should read this Microsoft blog post on the security of Windows Picture Password." In that post we find

"As you can see, the use of three gestures provides a significant number of unique gesture combinations and a similar security promise to a password of 5 or 6 randomly chosen characters."

That text appears below a table where the number of unique 3-gesture picture password is listed as 1,155,509,083. This is about 30 bits of entropy, assuming you really use random gestures rather than features of the picture to choose where to make them. If you do use features, you limit the search space for an attacker, as DW pointed out.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dave Scotese
  • 137
  • 1
  • 5
  • Please provide additional details in your answer. As it's currently written, it's hard to understand your solution. – Community Aug 28 '21 at 23:30
  • The story of how people found any thread is usually not relevant. It doesn't add to the *answer*. The intro didn't add any context because your antecedents didn't match up. Your intro provided no antecedents to what "about 1.1 billion" meant. A strict reading meant it was "about 1.1 billion bits of entropy" which of course couldn't be correct. – schroeder Aug 30 '21 at 06:54
  • How do you get "30 bits of entropy" from "1,155,509,083"? What is "1,155,509,083" exactly? – schroeder Aug 30 '21 at 07:25
-2

There is a security flaw with the Picture Password. After switching your login method to Picture Password, Windows 8 will then store your Picture password as well as your regular user password using the reversible encryption algorithms. Using the freeware Mimikatz and you can decrypt the Picture Password in no time.

enter image description here

user44454
  • 1
  • 1
  • https://www.symantec.com/security_response/writeup.jsp?docid=2012-042615-3731-99&tabid=2 – Deer Hunter Apr 13 '14 at 14:37
  • Factually incorrect since storage is in reversibly encrypted form, not in plain text. – Deer Hunter Apr 13 '14 at 14:40
  • Hi Deer! You're right. Picture password is encrypted with the algorithms that can be turned back into the original plain-text password. It makes this type of sign-in option more vulnerable than a regular local account. – user44454 Apr 14 '14 at 02:52