In the latest series Windows 8 post, Zach Pace, program manager authored a new post discussing the implementation and security of picture password in Windows 8.
"Picture password is a new way to sign in to Windows 8 that is currently in the Developer Preview. At its core, your picture password is comprised of two complimentary parts. There is a picture from your picture collection and a set of gestures that you draw upon it. Instead of having you pick from a canned set of Microsoft images, you provide the picture, because it increases both the security and the memorability of the password. You get to decide the content of the picture and the portions that are important to you. Plus, you get to see a picture that is important to you just like many people do on their phone lock screen," writes Pace.
"Picture password feature is designed to highlight the parts of an image that are important to you, and it requires a set of gestures that allow you to accomplish this quickly and confidently. In order to determine the best set of gestures to use, we distributed a set of pictures to a set of study participants and asked them to highlight the parts of the image that were important to them," said Pace.
"There's also an attribute inherent to circle and line gestures that adds an additional layer of personalization and security: directionality. When you draw either a circle or a line on your selected picture, Windows remembers how you drew it. So, someone trying to reproduce your picture password needs to not only know the parts of the image you highlighted and the order you did it in, but also the direction and start and end points of the circles and lines that you drew," explains Pace.
In recording the shapes one draws on the screen, the OS also remembers the direction and the order of the shapes drawn by the user.
So how many passwords can you get out of taps, circles, and lines? Using mathematical assumptions, one can obtain 2,743,206 unique combinations from 3 taps, 4,509,567 combinations from 3 circles, and 412,096,718 combinations from 3 lines. Combine all three together, and you've got 1,155,509,083 passwords!
Compare this to just 1000 unique PIN combinations with 3 characters, 17,546 passwords with just 3 lowercase letters, and 81,120 passwords with 3 alphanumeric characters and symbols.
Pace explains "Once you've selected an image, we divide the image into a grid. The longest dimension of the image is divided into 100 segments. The shorter dimension is then divided on that scale to create the grid upon which you draw gestures."
Adding he says to "set up your picture password, you then place your gestures on the field we create. Individual points are defined by their coordinate (x,y) position on the grid. For the line, we record the starting and ending coordinates, as well as the order in which they occur. We use the ordering information to determine the direction the line was drawn in. For the circle, we record a center point coordinate, the radius of the circle, and its directionality. For the tap, we record the coordinate of the touch point."
"When you attempt to sign in with Picture Password we evaluate the gestures you provide, and compare the set to the gestures you used when you set up your picture password. We take a look at the difference between each gesture and decide whether to authenticate you based on the amount of error in the set. If a gesture type is wrong--it should be a circle, but instead it's a line--authentication will always fail. When the types, ordering, and directionality are all correct, we take a look at how far off each gesture was from the ones we've seen before, and decide if it's close enough to authenticate you," said Pace.
Just as a note, you can also use a mouse with picture password too, just by using some click and/or drag actions.
Watch the video below demonstating Picture Passwords in Windows 8: