We are constantly told that, when creating new online accounts, we should take the time to generate passwords that cannot be easily guessed. However, many people don"t heed this advice and create passwords that are simple and commonly used. Of course even with a secure password, attackers can target the backend database or steal keystrokes from your PC, making the password worthless.
In 2011, Microsoft announced it had come up with a way to use a combination of images and touchscreen gestures to create a password system for accessing Windows 8. Microsoft said that it would be far more secure than PIN numbers or passwords because users would have a potential of 1,155,509,083 different ways to touch an image via taps, circles and lines.
That sounds like an ideal security system, but a recent research paper now claims many picture passwords in Windows 8 can be cracked. As with character-based passwords, the method to figure out a picture and gesture code is due to the fact that many people create patterns that are easy to discover.
The study was created by researchers from Arizona State University, Delaware State University and GFS Technology Inc. for the USENIX Security Symposium. The study found that many Windows 8 users upload their own photo for use in the picture password system and then come up with touchscreen gestures that center on objects in the image that stand out, such as a nose, mouth or eye if a person is in the picture.
The researchers polled 685 Windows 8 users and asked them to create gesture combinations for passwords with two different pictures. 60.3 percent of the participants said they used "special objects" in the images to map out their gestures. Only 9.8 percent of those polled indicated they created gestures that had nothing to do with what what was seen in their images.
Based on what the study participants indicated, the researchers then created an algorithm and attack system for picture passwords in Windows 8. The team claims they were able to crack 48 percent of those passwords based on their system. They suggest that Microsoft come up with a picture password strength meter that could be used to help Windows 8 owners make more complex patterns that cannot be repeated quickly by hackers.
Source: USENIX Security Symposium via Network World | Image via Microsoft