Windows 8 offers picture-gesture password

By Liam Tung on Dec 19, 2011 8:32 AM
Filed under Software

More combinations and shorter length.

Microsoft will tackle weak and fiddly alphanumeric passwords in Windows 8 by introducing a secondary login process that relies on taps, lines and circles. 

The sign-in process will be available on desktops but aims to offer a faster sign-in with stronger passwords than using a tablet's soft keyboard, according to Microsoft. 

For example, a three-character password has 81,120 possible combinations, while a three-gesture picture password offers over 1.15 billion in Microsoft's analysis.

Four gestures produces 612 billion combinations, while five creates over 389 trillion. By contrast, five random characters only has 182 million possible combinations.

The setup process involves selecting a personal photo and recording a set of gestures that the user must repeat to gain access. The password includes where on the frame a tap is located, as well as the direction that lines and circles are drawn in. 

"To be clear, picture password is provided as a login mechanism in addition to your text password, not as a replacement for it," said Zach Pace, a program manager on Microsoft's "You Centered Experience" team

The feature is disabled after five wrong attempts at which point the sign-in process falls back to the underlying plain text password. The process is only designed for physical access.  

A potential weakness of gestures are smudges left on the screen, which could give away enough for an attacker to guess it, but Pace argued the directional element of gestures offer a far greater number of permutations to a password combination.  

Lines and circles, according to Pace, become the equivalent of using a Shift key while typing in a password.

"For compliant passwords, a person will typically use the Shift key (or another button) to select alternate character sets. This key press will, of course also be visible to the attacker, but it does not indicate when in the sequence the Shift key was utilised," he said.

"For every circle and line used in the gesture set, the number of permutations increases by a factor of two."

A smudge-visible four character PIN, password or purely tap-based gesture has 24 permutations. Adding a shift boosts it up to 96 while a four-gesture line and circle sign-in has 384 possible combinations, Pace noted.

Windows 8 will offer domain administrators the choice to disable the picture password.

Follow us on Facebook and Twitter

Copyright © . All rights reserved.


Windows 8 offers picture-gesture password
Top Stories
AFL star joins Melbourne's Broadband Solutions
Shaun Grigg starts second job at peak of footy career.
Amazon Web Services killing it: revenue up 64%
Cloud vendor also triples operating income.
WestConnex signs national reseller Viatek
Five-year deal with Sydney Motorway Corporation.
Sign up to receive CRN email bulletins
What's the most important factor when partnering with a new vendor?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.