In a bid to improve security and speed
up logins, Microsoft is to give Windows 8 picture passwords. Tim Greene and
Carrie-Ann Skinner find out more
Windows 8, which is expected to launch in
public beta imminently, will allow PC users to log in using picture passwords.
You’ll be able to select any image from your gallery, then specify a gesture to
authenticate secure login. In our image, for example, login requires the user
to tap the mother’s nose, circle anticlockwise around the father’s head, then
draw a line from one sister’s nose to the other.
“When we started the process of designing
picture passwords, we knew that we wanted a sign-in method that was fast, fluid
and personal to each and every user, but still had a robust security promise,”
said Zach Pace, a Windows program manager.
“You get to decide the content of the
picture, and you can choose a picture that is important to you, just like many
people do on their phone lock screen.”
Traditional login authentication causes
security issues as many users choose easy to remember and therefore, guess
passwords. Alphanumeric passwords are stronger, but vulnerable to key-logging,
where malware records and reproduces a user’s keystrokes. Microsoft hopes its
picture passwords will alleviate this security concern.
A one tap login is relatively insecure,
given that frid overlay has only 270 possible touch points, but using eight
taps increases the number of possible combinations to more than 13 quadrillion.
Circles are even more complex, with seven circles providing one quintillion
“Someone trying to reproduce your picture
password needs to know not only the parts of the image you highlighted and the
order in which you did it, but also the direction and start and end pints of
the circles and lines that you drew,” said Pace.
Microsoft claims that its picture passwords
will also speed up logins. With three gestures, a picture password takes less
than four seconds to enter but can still provide more than one trillion
combinations, compared with 81,120 for character-based, and 1,000 for numeric
“We believe we’ve hit on a method of
singing in that’s secure but also a lot of fun to use. We love picture password
and the additional personal flavour it brings to windows 8,” said Pace.
Not everyone is enthused, however.
According to the inventor of RSA’s SeurID token, Kenneth Weiss, picture
passwords are “cute”, but don’t offer serious security.
Weiss said the major down side of picture
passwords is that drawing a pattern across a photo is easy to record from a
distance, and therefore relatively easy to compromise. Alphanumeric passwords
get around this problem by starring out the characters onscreen as you type.
That Microsoft will also allow a traditional password login for Windows 8 is
perhaps an acknowledgement of this shortcoming, he said.
Other problems include backing up the touch
pattern that is the login. “To put down a description of the sequence is
possible, but that’s a lot of writing,” Weiss said. “It’s more like a
Fisher-Price toy than a serious choice for secure computer access.”
Still, it’s better than nothing, admitted
Weiss, and will raise login security awareness.
What to expect
Describes as a “reimagining of Windows from
the chipset to the experience”, Microsoft’s forthcoming OS boasts a dual
interface that’s suitable for both keyboard/mouse and touchscreen input. The
traditional Windows desktop is joined by the new Metro interface, which borrows
heavily from Windows Phone 7 with a series of tiles that link to apps or can
the two using the Start button.
For the first time, Windows will also
include an integrated app store, known as the Windows Store, where Metro apps
and traditional desktop software can be purchased. Microsoft has confirmed that
windows 8 will run on ARM-powered devices, and its Metro-based apps will also
be compatible. The desktop programs will not work on these devices, however.
Microsoft claims a Windows 8 PC will go
from powered down to the Start screen in less than 10 seconds. This speedy boot
is thanks to a system that mixes processes used in cold boots and hibernation
“We took everything that was really great
about Windows 7 and we made it even better in Windows 8,” said Steven Sinofsky,
president of the Windows division.