In the latest interation of Windows 8's new "pictures passwords" feature, Jeff Johnson, the Director of Development for the User Experience team, titled "Optimizing picture password security" talks in particular about the math and security of the feature and how to optimize the security of the picture password.
In the blog post, Johnson addressed the comments and questions from the readers.
He notes "As several comments suggested, we also considered shrinking the size of the image and displaying it at random positions and slight rotations on the screen to minimize any risk from smudges. We knew from usability feedback that decreasing the size of the image both increased the difficulty of properly entering the gesture and made the login experience feel less immersive; however, if there were a significant improvement to security, we wanted to consider the costs and benefits."
"What we discovered was that while shifting the image could reduce the buildup of smudges in specific spots, there were even more prominent "clouds" of taps, lines and circles that were identical relative to each other. With this information, an attacker could easily figure out the gestures relative to each other. With that information, it was a simple exercise to move them around the picture until they appeared to coincide with significant elements of the picture. There wasn't a noticeable improvement in security and we were able to measure significant degradations to the fast and fluid user experience."
Johnson gives several different ways to make the picture better as a password that as per him will "substantially increase the security of your computer.":
- Pick a photo that has at least 10 points of interest.
- Use a random mixture of gesture types and sequence.
- If you choose to use a tap, a line, and a circle, randomly choose the order of those gestures; this creates 6 times the number of combinations as a predictable order.
- For circle gestures, randomly choose whether you draw it clockwise or counterclockwise. Also consider making the size of the circle bigger or smaller than the "expected" size.
- For line gestures, your instinct may be to always draw from left to right, but it is more secure if you randomly choose the direction with which you connect the two points.
- As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in.
- Keep your computer in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
- Be aware that smudges on the screen could potentially identify your gestures. Clean your screen thoroughly on a regular basis. Although this increases the risk if you clean, sign in, and then do nothing, the buildup of oils from repeated use is generally easier for an attacker to see (plus, who likes using an oily device?).
- Periodically look at your screen at an oblique angle while on the picture password login screen and see if there appears to be a pattern pointing to your gesture sequence. If so, either clean your screen or add a handful of additional smudges in the picture password area.
He goes into a lot of technical details behind the picture password feature. Johnson states, "Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password)."
Johnson also, explains how hard it would be to break the picture password that has 10 points of interest:
"Let's assume there are now 5 POIs in your picture. We now have 5 possible taps, 20 possible circles, and 20 possible lines. This gives us 453=91,125 possible sequences. Odds1 is now vanishingly small at 0.0055% and Odds100 is also very low at 0.55%. For many users, these odds are sufficient to protect their data.
We now have 10 possible taps, 40 possible circles, and 90 possible lines. This is a very robust 1403=2,744,000 sequences. Odds1 is vanishingly small at 0.0002%. In fact, you are more than 50 times more likely to win $10,000 with a $1 ticket in the Washington State Select 4 Lottery than you are to have your machine broken into using a picture with 10 POIs! The Odds100 has dropped to 0.018% and even Odds1000 is only 0.18%."
He said the complexity provided by 6 POIs is between the numbers for 5 POIs and 10 POIs. Odds1 is 0.0023% and Odds100 is 0.23%.