Windows 8 picture passwords are really easy to crack, study shows

News
By published

Heads, shoulders, knees and toes (and other objects)

Safe
It might be best to stick to passwords

You might want to think twice before drawing that Windows 8 picture password, as researchers have found that Microsoft's Picture Gesture Authentication (PGA) system is more Fort Unlocked than Fort Knox.

PGA lets you draw three gestures on an image with your finger, a mouse, or stylus that can then be used as a future password for logging onto the desktop.

However, it can't be a 'free style' gesture, meaning anything that resembles a squiggle is converted into a tap, a line or a circle. The image can come from a local folder, such as the Windows 8 Picture Library, or from the OS's default set.

According to a recent paper published by security researchers at Arizona State University and Delaware State University, the problem is that people aren't very good at drawing random things on pictures.

It found that most pick common points of interest, such as a nose, mouth, whole face, or regions with standout objects.

Cracking up

They discovered this by creating a custom web-based PGA system similar to the one on Windows 8 and asking 685 respondents to draw gesture passwords on two different pictures.

Overall, just 9.8% of respondents said they randomly chose to draw without thinking of the background picture. 60.3% indicated that they attempted to find locations where 'special objects' were, 22.1% where 'special shapes' were, and 8.3% where 'colours are different from their surroundings'.

Using an experimental model and attack framework that generated algorithms based on data from users' responses, the researchers claim they were able to crack 48% of passwords from previously unseen pictures in the first dataset, and 24% in the other data set in another within the Windows 8 limit of five login attempts.

Strength meter

Although the stats don't indicate Windows 8's PGA is completely guessable, it shows that there's some element of risk there.

To improve the security of Windows 8's PGA, the report suggests that Microsoft introduces a picture-password-strength meter similar to the ones that can be found on websites when users select passwords and other security details.

Kane Fulton
Kane Fulton
Kane has been fascinated by the endless possibilities of computers since first getting his hands on an Amiga 500+ back in 1991. These days he mostly lives in realm of VR, where he's working his way into the world Paddleball rankings in Rec Room.
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Apple Sport Band on block

I tested this understated yet convenient Apple Watch strap for a week – here’s why you should buy it now

See more latest
Most Popular
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard