Sdílet prostřednictvím


Optimizing picture password security

We wanted to talk a bit more about the security of picture passwords in a follow up post based on some of your comments. Jeff Johnson, the Director of Development for the User Experience team, is particularly interested in the math and security of this feature and authored this post on how to optimize the security of the picture password. Since this is a new form of logging on and concerns over security (especially with mobile devices) as well as new authentication techniques (fragility of facial recognition for example or the challenges we've seen with biometrics) it is no surprise folks took to thinking about potential pitfalls in the approach. Our goal was to provide a convenient mechanism that was clearly no less secure than text passwords (all that math Jeff provided). Below Jeff talks about why this is a robust solution in general. Keep in mind in reading this that over the years many "best practices" have been established for typed passwords (policies such as numbers+letters+mixed case, length, inability to recycle passwords, no dictionary words, etc.) as well as important cautions (such as avoiding public internet terminals with potential for overhead cameras or keystroke loggers) -- these types of practices all have analogs in the use of picture password as you can imagine. Jeff outlines some of these and the logic behind the security of the model. --Steven


A question we’ve been asked several times in one way or another is “I care about keeping my machine secure; what are the best practices for creating the most secure sequence of login gestures?” This leads to an interesting (at least to me, as a math guy) analysis. It involves game theory, but first I’ll distill it down to the following best practices.

  • Pick a photo that has at least 10 points of interest. A point of interest is an area that can serve as a landmark for a gesture – a point that you would touch, places you would connect with a line, an area you would circle.
  • Use a random mixture of gesture types and sequence. While a line is the gesture that has the most permutations, if you always use 3 lines, that actually makes it easier for an attacker, as they can rule out trying sequences with the other gesture types.
  • If you choose to use a tap, a line, and a circle, randomly choose the order of those gestures; this creates 6 times the number of combinations as a predictable order.
  • For circle gestures, randomly choose whether you draw it clockwise or counterclockwise. Also consider making the size of the circle bigger or smaller than the “expected” size.
  • For line gestures, your instinct may be to always draw from left to right, but it is more secure if you randomly choose the direction with which you connect the two points.
  • As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in.
  • Keep your computer in a secure location where unauthorized people do not have physical access to it.  As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
  • Be aware that smudges on the screen could potentially identify your gestures. Clean your screen thoroughly on a regular basis. Although this increases the risk if you clean, sign in, and then do nothing, the buildup of oils from repeated use is generally easier for an attacker to see (plus, who likes using an oily device?). Note that buildup is more of an issue for entering numeric PINs, when the device is frequently turned on and off and you enter the sequence dozens of times a day (oils can build up in those locations). Periodically look at your screen at an oblique angle while on the picture password login screen and see if there appears to be a pattern pointing to your gesture sequence. If so, either clean your screen or add a handful of additional smudges in the picture password area (which effectively increases the POIs discussed below)

If you follow these tips, you will substantially increase the security of your computer.

As several comments suggested, we also considered shrinking the size of the image and displaying it at random positions and slight rotations on the screen to minimize any risk from smudges.  We knew from usability feedback that decreasing the size of the image both increased the difficulty of properly entering the gesture and made the login experience feel less immersive; however, if there were a significant improvement to security, we wanted to consider the costs and benefits.  What we discovered was that while shifting the image could reduce the buildup of smudges in specific spots, there were even more prominent “clouds” of taps, lines and circles that were identical relative to each other.  With this information, an attacker could easily figure out the gestures relative to each other.  With that information, it was a simple exercise to move them around the picture until they appeared to coincide with significant elements of the picture.  There wasn’t a noticeable improvement in security and we were able to measure significant degradations to the fast and fluid user experience.  In reality, using smudges is very difficult.  When we took tablets that had been used for a number of days by folks, there were typically too many smudges to even begin to deduce their gesture set.  Even when we were given their login sequence and knew what to look for we had limited success.  We included this analysis because we feel it is important that whenever any innovative new technology is introduced that potential attack vectors are disclosed and the technical community can reach a general consensus of the degree of a threat and its potential mitigations.  Of course we also have confidence that screen technologies will continue to improve and smudges will someday seem quaint.

The analysis

It is also interesting to compute the odds of an attack succeeding in various scenarios. As discussed in the previous blog post, gestures are based on a 100 x 100 grid, giving even the simplest gesture (the tap) a potential of 10,000 values (given proximity matching, this number is effectively reduced to 270). In reality, the number of points of interest (POI) is much lower than that – there are only so many memorable locations in a given photograph.

Although there are other ways to structure an analysis, for the purposes of this discussion we will assume that there are a small number of POIs, and all gestures involve only those points. We assume that taps are directly on a POI, circles only come in two sizes (say, small around the point, and larger around the point) and two directions (clockwise and counterclockwise), and lines always connect two POIs. Because this isn’t strictly true, the number of permutations is actually even greater.

Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password). With this in mind, it is interesting for a given scenario to frame the relative security in two ways.

First, what are the odds that an attacker with full knowledge of your gesture selection methodology would be able to sign in to your machine before the lockout is triggered (we will refer to this as Odds1). If there are x equally likely gesture sequences, then the odds of guessing it in five tries before lockout are 5 / x .

The second interesting view is assume you were given 100 machines each with a password picked randomly according to the rules of the scenario (we will refer to this as Odds100). What are the odds that an attacker could log in to at least one of those machines? Since these are independent events, the odds of this are:
  1)/x)^100.

Base scenario

Let’s assume a horribly insecure scenario: Your “picture” is entirely black with a single white dot in the middle of it. Because there is only one POI, only the tap and circle gesture can be used (there is nowhere to connect a line to). Obviously, if I used only the tap gesture, an attacker would have 100% success as the only valid sequence would be three taps on the white dot. Let’s assume we only use circles and no points. There are 4 possible circles we can randomly choose for each gesture. This gives us a total of 43 = 64 possible gesture sequences. For this scenario, Odds1 is 7.81% and Odds100 is 99.97%. It’s surprising that for a single machine the odds of a successful sign in with my picture password is less than 8% (my intuition would have guessed a higher number), though you can see it is a virtual certainty that with 100 machines, at least one of them would be compromised. While some users might be comfortable with these odds, most security conscious folks and IT admins who manage a population of machines would find this unacceptable.

Let’s now augment the scenario by saying we will randomly choose for each gesture whether it is a tap or a circle. It is tempting to say that this doubles the complexity of each gesture, but it does not. There are 4 possible circles and 1 possible tap, so there are 5 unique gestures giving a total of 125 sequences.

Let’s say that we choose to implement our new “random” methodology as follows: flip a coin to determine if it’s a tap or a circle. If it’s a circle, we’ll randomly decide which of the four possibilities it will be. While this seems nice and random, it is actually less secure than just using only circles. This is because half the time we will pick a gesture for which there is only one possibility (the tap). An attacker would focus their attack on gestures that featured two or three taps and achieve higher success. An ideal attack strategy (there are others with identical odds) would be to test for 3 taps, and then test for two taps followed by each of the four circle types for the 5 attempts before lockout. Instead of the apparent Odds1 of 4% (an improvement over the previous 7.81%), an attacker would actually achieve Odds1 of 25%, more than three times worse than just using circles. Statistics can be tricky!

Fortunately, there is an easy fix to this scenario. For each gesture, we pick a random number between 1 and 5. If it is a 1, we use a tap. Otherwise we use the value to pick one of the 4 circle possibilities. This does yield an Odds1 of 4% (almost twice as good as the first scenario), but the Odds100 is still an abysmal 98.31%.

A slight improvement

Let’s make just a small improvement to our methodology. This scenario involves a picture with only two POIs (it’s really hard to imagine a real photo this simple, so we can pretend it’s a black canvas with two white dots). This allows us to add the line gesture, but there are only two possibilities for it: drawing from the first dot to the second, or from the second to the first.

Learning from the previous example, we will not randomly pick the gesture type and then the gesture. We will sum up all possible gestures and then pick a random number to map with equal probability onto each possible gesture. There are 2 possible taps, 8 possible circles, and 2 possible lines. The total number of gesture sequences is 123=1728. This gives us an Odds1 of .29% and Odds100 of 25.2%. It is somewhat remarkable that so simple of a picture with only 2 POIs would have odds this low for a successful attack. Even if you had 100 machines to attempt to break into, you would only succeed getting into at least one machine 1 out of 4 tries.

Ramping it up

Let’s assume there are now 5 POIs in your picture. I can begin to imagine some very simple pictures where this might be the case. We now have 5 possible taps, 20 possible circles, and 20 possible lines. This gives us 453=91,125 possible sequences. Odds1 is now vanishingly small at 0.0055% and Odds100 is also very low at 0.55%. For many users, these odds are sufficient to protect their data.

To the max

Let’s assume you are very security conscious and choose a picture with 10 POIs. There can be debate as to how many POIs a particular photo contains. However, it doesn’t matter how many POIs are “obvious” as long as you pick 10 points that are identifiable to you to randomly choose gestures with. Actually, if some of the points aren’t obvious (but you can still reliably target them), that is a security plus.

We now have 10 possible taps, 40 possible circles, and 90 possible lines. This is a very robust 1403=2,744,000 sequences. Odds1 is vanishingly small at 0.0002%. In fact, you are more than 50 times more likely to win $10,000 with a $1 ticket in the Washington State Select 4 Lottery than you are to have your machine broken into using a picture with 10 POIs! The Odds100 has dropped to 0.018% and even Odds1000 is only 0.18%.

Social engineering

Social engineering is one of the most significant threats to sign-in security of all types, whether password, PIN, or picture password. Using a randomizer to help construct your sign-in sequence is equally useful for each of these methods.

For the technical enthusiast, it is possible to implement the above schemes with a small amount of programming or the use of Excel. However, it would be useful to have a lower tech way of creating a gesture sequence that a larger audience could employ. Of course, we should not be under any illusions that the number of people who seek out these tools and procedures will be any greater than the number who would voluntarily pick strong text passwords if not required by site admins.

Roll of the dice

As a whimsical exercise, I thought it would be fun to come up with an analog way of generating a random gesture sequence. To do this, I chose to employ a six-sided die (D6 for hard core gamers :-)) to generate a 6-POI gesture sequence. In addition to mapping nicely onto the die, a 6 POI picture has the useful property that the number of possible lines (30) exactly equals the number of taps (6) plus circles (24), so it is easy to bifurcate the gesture type as well.

Repeat the following steps for each of the three gestures:

  1. Roll the die.
    The number indicates which of the six POIs to use for the gesture (for a line it will be the starting POI).
  2. Roll the die again.
    • If the die is even, the gesture will be a line
      Roll the die again.
      If the number matches the first roll to pick the initial POI, reroll until you get a different number.
      This number is the second point for the line.
    • If the die is odd, the gesture will be a tap or circle
      Roll the die again.
      Use the roll value list below to determine the gesture.
      1 - The gesture is a tap
      2 - The gesture is a small clockwise circle
      3 - The gesture is a small counterclockwise circle
      4 - The gesture is a larger clockwise circle
      5 - The gesture is a larger counterclockwise circle
      6 - Reroll

As expected, the complexity provided by 6 POIs is between the numbers for 5 POIs and 10 POIs. Odds1 is 0.0023% and Odds100 is 0.23%.

We hope you enjoy using the new picture password sign-in as much as we have enjoyed creating it!

--Jeff Johnson

Comments

  • Anonymous
    December 19, 2011
    Fluent transition between the picture and the keyboard password is important. When I'm at the airport, I need to be able to type the password when the picture password is shown. Also, after a few failed tries, can you time-out the picture password for a few seconds (thereby defeating a brute force attack), while still being able to immediately start typing the password.

  • Anonymous
    December 19, 2011
    Great explanation of the potential of the picture passwords! I really like this new way of signing in, and I plan on definitely using it with a touch-enabled device! I can't wait for the final release of Windows 8!

  • Anonymous
    December 19, 2011
    @alvatrus If you check out the video on the previous post, you will find that at 2:15 there is a button that says "Switch to password," so apparently you are able to switch between both methods of logging in pretty easily.

  • Anonymous
    December 19, 2011
    Hi Steven, Have you considered dropping the Windows branding, at least for tablets?  I was just reading the following article from TechRepublic.com and it says: "Microsoft’s Windows Phone 7 is a solid product that suffered from one fatal flaw: The burden and baggage of the Windows brand....One of the reasons people love smartphones and tablets so much is that they aren’t as complicated and confusing as the Windows computers that they’ve been using for years. Other than the small-but-rabid cadre of Windows enthusiasts, most people shudder when they think about having a phone that runs like Windows. The last thing they want is a device that locks up for no apparent reason, gradually gets slower over time, and is constantly getting bogged down by spyware, malware, and crapware." www.techrepublic.com/.../9932 Will people want to buy a tablet that has Windows in the name?  Note that the only other successful platform Microsoft has is the XBox which is not branded as Windows.  Microsoft should consider doing the same thing for their tablets.

  • Anonymous
    December 19, 2011
    picture password is nice.... but why only 3 options to choose a picture password, it would be nice to allow a feature to customize the number of gestures u want for the picture password with a minimum of 3, having something like four or 5 more gestures would be awesome,

  • Anonymous
    December 19, 2011
    I can see it now: Clippy to the rescue. "It looks like you're creating a Picture Password! Would you like help rolling your D6 to make sure it's secure?"

  • Anonymous
    December 19, 2011
    Regarding "smudges on the screen could potentially identify your gestures." How about moving the picture around every time? It so much better than relying onthe user to "add a handful of additional smudges in the picture password area". I know, it's too easy.

  • Anonymous
    December 19, 2011
    "Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password). With this in mind, it is interesting for a given scenario to frame the relative security in two ways." am i reading this wrong, or is defeating a picture password no harder than defeating a text password, since it's trivial to skip the picture password and jump straight to the test password? so you still must absolutely have a strong text password, and a picture password that's technically stronger than it. of course, a picture password has the potential to be easier to remember than a text password at similar strengths. well, maybe, if you're bad at remember text passwords. i think remembering random "phrases" is easier than random gestures.

  • Anonymous
    December 19, 2011
    I would like to suggest that you randomly slightly turn or shift the image each time you login.  That way, even if someone were to see smudges, they wouldn't even know where the image was positioned when you logged in, so it would not be near as useful to them.  Thanks, and great job so far.

  • Anonymous
    December 19, 2011
    @Michael Didn't he explain why that wouldn't work?

  • Anonymous
    December 19, 2011
    i love the picture passwords thing, i just think it support 3D images for computer that have graphics card that support 3D graphics and that have multi-touch touch touch screens.

  • Anonymous
    December 19, 2011
    Hi Michael, Smudges would not really be an issue. The individual who would want to break in would still have to figure out the squence which would not be that easy. Regards, Anon

  • Anonymous
    December 19, 2011
    The comment has been removed

  • Anonymous
    December 19, 2011
    @Mike All Windows accounts have a text password as their core authentication mechanism.  Secondary mechanism like picture password, PINs and fingerprint readers are layered on top.  When you enable multiple forms of authentication, your account is only as secure as your least secure method of authentication. We spent a lot of time when we designed picture password considering the security implications, not just from a theoretical math perspective, but from how humans actually use the feature.  With picture password we wanted to enable an experience that was not only secure, but fast and fluid. Most users of slates and phones today utilize a PIN.  There is an implicit tradeoff being made here between quick access to the device and password complexity.  For example, if your phone required you to enter a 12 letter password that contained at least one upper case letter, a number and a symbol and you had to do this every time you wanted to make a call or check your email, it would be extremely frustrating. An interesting consideration for an IT manager who is deciding which methods of authentication are appropriate for their company’s users is how human nature is going to adversely impact the theoretical security.  Rules for what makes a compliant strong password are one manifestation of this. One might assume that it would be most secure to disable all forms of authentication except a strong text password.  From a theoretical perspective, this is merit to this approach, if you don’t consider usability.  However, you will still need to choose your definition of “strong” and will have to take into account the ease with which your users will be able to log in.  We have seen a trend for many users when faced with having to frequently log in on a slate (or even phone with PINs) towards picking passwords that are fastest to enter on the soft keyboard.  Needless to say this is not a good security practice. However, if picture password is enabled (and the security characteristics are appropriate for your needs), you can utilize a stronger text password and users are more likely to follow best practices as their need to have to actually enter it will be rare.

  • Anonymous
    December 19, 2011
    "If there are x equally likely gesture sequences, then the odds of guessing it in five tries before lockout are 5 / x ." So, when there are only 2 gesture sequences the odds are 5 / 2 = 2.5, which is 250%?

  • Anonymous
    December 19, 2011
    There seem to be a run of comments where the answer is in the post.  I hope folks take the time to read the posts before commenting. Keep in mind that we could be having the same "can you guess" dialog around text passwords.  For example, it is well known that when you say "password must contain a number" people start with 1.  If you do password expiration, then the next one is 2.  If you say no ordering then you can guess 3 or 0 (the other side of hte keyboard).  Just a reminder that we're not claiming to have solved identity--just making the point that this technique has been designed to provide at least the same amount of security as text based passwords with the additional benefit that you can use touch, which what @Jeff Johnson (MSFT) describes in the posts and his comments here.

  • Anonymous
    December 19, 2011
    Sorry, this fourmula is for when x is at least 5.

  • Anonymous
    December 19, 2011
    Wow, this is very interesting. Have you guys considered changing the name from "picture password" to something different because this form of logging in isn't really a password?

  • Anonymous
    December 19, 2011
    I am a longtime microsoft shareholder and beliver in your products.  The bloger above who talked about the baggage associated with the windows name in the brand is spot on.  Rehabbing windows as a brand requires microsoft increase marketing 10 fold and opening another 400 stores right away, something I doubt Mr Balmer is willing to do.  A new name is the best way to get away from the windows baggage.  Xbox has a good brand, tag onto that, instead of win8, call it the xPad, no please, please, please call it the xPad instead of windows 8.  Let it be windows 8 on PCs and xPad on tablets.

  • Anonymous
    December 19, 2011
    The comment has been removed

  • Anonymous
    December 19, 2011
    For a long time it is time to advance report SCTP everywhere! Considering present active advancement aside IPv6. + the weight полезностей from this is taken by one more good report SPDY. It is impossible to brake development of technologies and it is necessary to push modern reports in weights. It is necessary to convince Microsoft of utility and necessity of the given reports and to incline to their intensive introduction.

  • Anonymous
    December 19, 2011
    Would you offer this wallpaper please. img809.imageshack.us/.../win8.jpg This was shown after the D9  conference! Would be so nice.

  • Anonymous
    December 19, 2011
    Having read both articles on picture sign-in I am curious about gestures that would have made use of more than one finger. Other than creating an obvious problem for a stylus-type input-devices, what were the sign-in/security experience of such gestures (because I assume they were tried)?

  • Anonymous
    December 19, 2011
    Great explanation, thanks. Would it raise the security if when entering the password, the user would have to pick the correct picture first out of a stack of static pictures that are shown in random order?

  • Anonymous
    December 19, 2011
    If you look at ay tuch screen kiosk, like a ATM machine.. or the Checkout lane kiosk used by the employees. of a store or even self scheckout the resistive screen Kiosks all have smoothened of the screen layer at the points which have been touched repeatedly .. to a point where it can be easily identified. if the Picture stays PUT on the same location on the screen .. then I am afraid my screen is going to look like that.. and in few months time my password is going to show UP.. as a smoothened screen surface. note these are resistive screen .. Also how can i mask a 22 inch screen where no one can look? If i have a 22 inch touch screen

  • Anonymous
    December 19, 2011
    The comment has been removed

  • Anonymous
    December 19, 2011
    over 2 months passed by the release of pre-beta (windows 8 build 8102) ;But still no larger functions n features improvement in windows by Microsoft

  • Anonymous
    December 19, 2011
    One thing is not clear to me :  when I fail 5 times,   I must enter the password.  Is this true forever or  can I try again after 30 minutes for example ?   In any case the system looks very strong,  even with a very simple picture. Jeff Johnson mentions fingerprint readers,  which looks the simplest way to log into a system.  However,  even if you struggle to find an easy and fast way to log in,  this solution does not seem to attract you.  Are there reasons for this (other than pure availability of the readers) ?  Perhaps that it looks good but is not ?

  • Anonymous
    December 19, 2011
    The comment has been removed

  • Anonymous
    December 19, 2011
    First off, you guys test VERY fast, second off, I'd like to revisit the start menu, I've been thinking about if a little more,a ndI realized why the Macs Launchpad doesn't feel claustrophobic, or rather, why the start menu DOES. it's because the tiles are so large, and because the background is completely opague, not to mention only 1 tone, I think if you had the background be white with like %10 opacity, it would blur the desktop thoroughly as to inform the user that they couldn't click on anything on the desktop, and to not make the user feel like they're in a small confined place against their will. It currently feels as if I was locked in a closet somewhere. Can I get a response? agree? disagree?

  • Anonymous
    December 19, 2011
    Drop shadows, are they now symmetrical? it annoyed me SO much to have the bottom shadow bigger than the other sies, and I couldn't even fix it in my custom theme because of some rendering bug T_T So, I REALLY hope the shadows are symmetrical, it shouldn't look like the light is coming from your ceiling, the user should be the light, thus the shadows should be flat. does any of that make any sense to you?

  • Anonymous
    December 20, 2011
    @Jeff Johnson [MSFT] Indeed, I found recently that when I had to request users' password due to client migration process I found all to many Mycompanyname1! passwords. Those are really too easy to guess. Picture password definitely adds a personal touch to passwords and I think for enterprise environments it could actually encourage end users to choose a better password. For the smudging issue, I would suggest to rotate multiple pictures. It's probably easy to remember gestures for more than one picture because you have a social bond to the choice of gestures. The cycling pictures add an extra difficulty for public users who happen to glance at your gesture to unlock the password. If the next password authentication would show a new picture, the gestures of the previous one they remembered would be rendered useless. Also, if the images are cycled sufficiently, then the smudges will be random and therefore difficult to estimate.

  • Anonymous
    December 20, 2011
    @Bart Verkoeijen  -- I think we're trying to say that there isn't a "smudging issue" any more than there are analagous issues with text based passwords (except for the fact that picture passwords are immune from keystroke logging and other physical intercept techniques).  Personally, I think this is far less than being comparable to other issues.  It is like trying to discern a football team (American) offense by looking at the field after the game--all you see is a lot of torn up grass in the middle of the field.  

  • Anonymous
    December 20, 2011
    There May Only Be One Slight Error I Can Think Of. The Touching Keys May Have A Small Radius, And Say You Touched 5 Pixels To The Right It Wouldn't Treat It Correct.

  • Anonymous
    December 20, 2011
    Another interesting article. I think the "smudging" issue is a tad overrated, as anyone with a touch-only device is probably aware you tend to end up with smudges all over the screen for normal use anyway. I know that was the case with my latitude XT and I always logged onto that with the fingerprint reader (and that's still an option for those who'd like it!)

  • Anonymous
    December 20, 2011
    How do picture passwords and regular passwords work in scenarios when items like an alarm clock would wake up my computer. Right now I have to allow my computer circumvent all passwords when it wakes up to allow an alarm clock application to work. With a tablet I want certain events and notifications to occur even if my computer is asleep and locked without me having to log in. This would also be very handy for applications like skype and google voice, I wish they could notify me of a call even if my computer is asleep. This is not just for my laptop, I wish I had this feature on my desktop too.

  • Anonymous
    December 20, 2011
    The comment has been removed

  • Anonymous
    December 20, 2011
    This is very cool, and I'm looking forward to it in Windows 8.  I'm curious how the login data is stored.  Will I have the same picture password experience across multiple PCs leveraging Skydrive? [As a side note, can you make an HTML5 web-based version to use for Microsoft web services?  That would be awesome]. Is the information stored on the PC as a set of encrypted coordinates?  Or is the full sequence hashed in some way to unlock the PC?  Basically, what is changing about the underlying security mechanism for this Picture Password? Awesome job folks - keep up the good work!

  • Anonymous
    December 20, 2011
    @Steven Sinofsky - Thanks for the reply, it shows the team takes in the feedback. I may have to paraphrase myself to make my earlier point clearer. The core problem with the smudging issue is its trace-ability. Since the picture password is a visual pattern based method, the user's awareness of security strength will be on whether the pattern can be replicated easily. Whether smudging is real security issue or not does not matter, it is a fact though, that it does offer the ability to compromise this security method and therefore may cause fear. Your point is taken with the example regarding the football team. Using that same example, I want to highlight that should somebody watch the football match and analyse the tactics, this can be used against a team in a next match should they use the same tactics. The same counts for the password picture. The method is much slower and more visible than the text and PIN method. Therefore it's much easier to see and remember one's login gesture. I've experienced this first hand with the Android 'dot pattern' login method, which is very easy to remember once you see someone login. Therefore, my point was about the trace-ability of the current implementation. My suggestion would be to use multiple pictures and require that after each successful login a different picture will be used for the next attempt to login.

  • Anonymous
    December 20, 2011
    By the way, there seems to be an issue with the commenting system on this blog, that when you take a long time to write your comment the session seems to expire. The post won't be accepted, and reloading the page (resubmitting) does not help. Had the same issue on 2 different PC's in different locations.

  • Anonymous
    December 20, 2011
    Thank You The given Information on your blog is very useful. Visit :-<a href="http://www.ariestechsoft.net">Seo training delhi </a>

  • Anonymous
    December 20, 2011
    @Bart Verkoeijen @Jeff Johnson [MSFT] mentioned in his comment the practical issue that once someone can see you entering any form of authentication, all bets are off.  It is just a matter of focus and skill no matter what form of typing, swiping, or PINing is used.  There really isn't "more visible" there's just visible.  The more you use random elements the less "guessable context" a bad guy might have but still if they can see you then you're in a bad spot.  

  • Anonymous
    December 20, 2011
    Thank you brother to explain all this to people. It is a great help! A big thank you for this post and to your website at all. I just loved.

  • Anonymous
    December 20, 2011
    resim şifresi iyi olmuş . ve neden bu sitede her konu hakkında yorum yazamıyorum?

  • Anonymous
    December 21, 2011
    A couple of interesting concepts were raised in other comments - one is to first have to select from a random set of images before entering your gestures. Another would be to have multiple images in your own "library" - each with its own set of gestures. Having the OS randomly select from among that set would reduce the risk from the smudges. This is a similar concept to the scramble pad for number passwords; have you considered that as an option (would also work great on WP7).

  • Anonymous
    December 21, 2011
    Hi ,     I am very consciuos about PIN password.How it would provide security ? Also,picture password is good for personal devices.It can't be hidden from other persons sitting with you for desktop,I also expect windows 8 should give warning if any one is setting weak password,so that one may try to have strong password.

  • Anonymous
    December 21, 2011
    The comment has been removed

  • Anonymous
    December 21, 2011
    password + gesture = Windows Pasture(tm)

  • Anonymous
    December 21, 2011
    "There isn't more visible, there's just visible" Steven, I take issue with this. When someone's typing in 6 characters worth of asterisks, I can't see well enough to record their password. With picture password, the 3 taps are highlighted on screen (visual feedback) and that's really easy for me to record. If I'm doing a boardroom presentation no-one can guess what I typed, but they can see what I tapped. I think you should disable the visual feedback of picture password.  I didn't see this addressed in the post.

  • Anonymous
    December 21, 2011
    I agree, if it is to be the same level of security you would have to hide the "password" on the screen just as is done with asterisks...

  • Anonymous
    December 21, 2011
    You can change to a text password (or a PIN) any time you want at time of logon (or unlock--remember this is not a replacement for a text password, just an additional mechanism connected to that password just like a PIN is).  All we've done is shown that the number of combinations makes it equally secure to commonly used PINs.  But nothing can be secure from eavesdropping or observation--not strong passwords or anything.   Keep in mind any time someone can see you typing there is a risk over the shoulder (obviously not presenting from a podium, but I can't count the number of times I've seen someone start typing their password into a user name field, especially in web demos...)  A much better practice is to blank the screen while setting up and use presentation mode (window key+x on a mobile PC) to avoid screen savers, change your background, turn off notifications, and the like.   And of course, use demo accounts if at all possible. Keep in mind many beleive that even knowing the number of asterisks is a security problem and for years have suggested showing a random number of asterisks for every character typed.  But at least picture password is imune from keystroke logging :-)

  • Anonymous
    December 21, 2011
    It wouldn't take much for someone to steal a picture password through a screen reader/recorder. After all a picture password is nothing more than a bunch of co-ordinates.

  • Anonymous
    December 21, 2011
    Hey, why not to stop reserving A and B drive letters for FDD and start giving them to card readers instead? Notebooks, tablets and all modern computers don't have FDD drives. Isn't it a time to remove some lagacy limitations? (Like folders with CON name)

  • Anonymous
    December 22, 2011
    @Steven Sinofsky "But at least picture password is imune from keystroke logging" I have seen you make this comment twice now, but I have seen no justification for why that would be true. Touch is input to the system provided by a hardware device, just like the keyboard. If an attacker can install a key logger, he can install a touch logger just as easily. So how is gesture authentication (the term "picture password", while catchy, is a misnomer, since it doesn't use a password, and the picture is not what is being authenticated) any more immune from logging than a traditional password?

  • Anonymous
    December 22, 2011
    @David A Nelson -- assuming an external keyboard, a keystroke logger is easy to install as it just goes between the keyboard and the PC.  A touch panel is integrated and while it might connect via a USB, the signal is specific to a make and model.  And still once you have the signal you have to decode that and use it on that screen on that image on that PC, unlike a password. Once you're installing software to log anything, then all bets are off (and why bother stealing the logon password of all things).  However, even then a keystroke logger is completely straight forward and far more useful.

  • Anonymous
    December 22, 2011
    ^^^ How wouldn't someone be able to make an app to log all the picture password signals? so your keylogger argument is completely irrelevent.

  • Anonymous
    December 22, 2011
    @BumbleBritches57 Even if someone logged all of the touchscreen signals used for the picture password, they wouldn't necessarily know how these signals translated into physical gestures. As Steven Sinofsky says, "And once you have the signal you have to decode that and use it on that screen on that image on that PC, unlike a password."

  • Anonymous
    December 22, 2011
    How does this work when a password is required in other areas, say a UAC prompt or logging in via RDP?

  • Anonymous
    December 22, 2011
    The point is, if tehy logged those signals being sent to the app, they could input those signals directly into the app, thereby simulating that activity. electronically, it would match identically.

  • Anonymous
    December 22, 2011
    like I said, it's not about translating that information into human readable form, they could input that binary code directly and remotely into the device.

  • Anonymous
    December 22, 2011
    And I'm not a security guy or anything, but Microsoft, you may want to have a public and random key that encrypt ALL passwords, text or otherwise and the key is decrypted as it is received by the hypothetical login.app, so as to make any stream dumped from any password field unusable by any hacker.

  • Anonymous
    December 23, 2011
    cool. please have (and OEM) a big inch screen on +or- 45 degree angle on a table or something, similar to microsoft surface, but only that itsa +or- 45 degree screen that surports multiple intutes (touch, pen, mouse, keyboard, voice etc) running windows 8 since its touch optimised, for the PC+ era.

  • Anonymous
    December 23, 2011
    The comment has been removed

  • Anonymous
    December 23, 2011
    The comment has been removed

  • Anonymous
    December 23, 2011
    The comment has been removed

  • Anonymous
    December 23, 2011
    @Steven Sinofsky Also why not add a Courier app to Windows 8 that takes advantage of the work that was done on the Courier user interface. Maybe integrate a Courier like experience into OneNote?

  • Anonymous
    December 23, 2011
    very interesting, we like the work you doing. Can you please embend bing into the desktop backround, as if bing is the backround that allows online searching, home search or other netwoks when the results appear clicking the links then open IE.

  • Anonymous
    December 23, 2011
    The comment has been removed

  • Anonymous
    December 24, 2011
    You can to this already! You just have to wodnload the bing dynamic RSS theme from the windows themes gallery: windows.microsoft.com/.../bing-dynamic-theme

  • Anonymous
    December 24, 2011
    I think you should invest more, in the animations of Windows 8, because they are very poor and not invested. If you will put the animations of Windows phone 7.5 in Windows 8, it will be much better.

  • Anonymous
    December 24, 2011
    Very interesting article. Let me some off topic. Maybe it's very hard mathematics for usually American (in the Russia very popular stereotype what people of USA very stupid (I'm sorry)). Jeff Johnson, where you get your education? When this level of mathematics study in usually american school? In the Russian school children study this level (factorial, formulas, summation operator (sigma)) usually in 12-15 years. Please, someone from U. S., destroy this popular stereotype about Americans in Russia. Sorry for my English. Thank you very mach.

  • Anonymous
    December 25, 2011
    here's a great new community for Windows 8 Tablets: http://win8tabs.com

  • Anonymous
    December 25, 2011
    OFFTOPIC: Program Compabikity Service is a big failure, both in Vista and Windows 7. When i install Ulead Photoimpact 12 it doesn't say anything at all. But when i install several plugins to it, that is in the installfolder it claim that they are not correctly installed, even if they are... Have to disable it to be able to install the plugins without this nagging. If something isn't supported in Vista and Windows 7, like old Java runtime's, why aren't the install blocked ?

  • Anonymous
    December 25, 2011
    Program Compabikity Service = * compability *

  • Anonymous
    December 25, 2011
    Windows, I think, is going the right way. Too much security at the point of Login is not as  important as the security within. More security features can be added to drives and specific folders (Encryption, for instance, in all versions of Windows and permitted in folders). Easy usability is more important.