News - Windows 8 picture passwords explained

[HEXUS]

Microsoft lifts the lid on the secondary log-in method for upcoming OS.

Read more.

[Lee H]

I wonder how many people are going to use phalic shapes as their password when this launches

[j.o.s.h.1408]

carbon copy of androids ice creame sandwitch lock screen

[MrRobin]

Won't anyone looking over your shoulder be able to easily copy your 'password'? Much easier that watching someone tap keys on the keyboard...

[Mighty God]

Sounds very similar to some authentication methods already in place on android phones..

The touch-screen 'smudges' is a big disadvantage / security flaw IMO though!!

[leonkehoe]

I like it. Clever.

[shaithis]

I do like the idea of controlling it via mouse.

I do use the swipe unlock on Android but it seems to lend itself more to a smaller device....although even so, I have still watched a few people unlock theirs recently and all of them I could have repeated instantly.

[miniyazz]

And, as mentioned before, when I (briefly) tried the similar Android unlock screen, it was easily apparent what the logon swipe was, based on the grease pattern visible when turning the screen off and shining a light at an angle. This will have totally the same flaw unless using a mouse.

[Noxvayl]

Sounds interesting but I'm not convinced it is more secure. It provides few obvious security benefits in my opinion.

I guess it's major selling point would be convenience, drawing a shape with your finger or mouse should be quicker and easier than typing a password.

[kingpotnoodle]

Far far too vulnerable to the over the shoulder problem.

The grease trail issue can be partially solved using overlapping patterns so its not clear where the grease trail goes, but its still easier to observe than a long password with uses of the shift key.

Face recognition or finger prints are far better than this if you're too lazy to type, better still with a 6 number pin for 2 factors

[TheAnimus]

Thing is this isn't ment to be that secure, the other thing is unlike a mobile phone I'd wager that the time spent using the device per session is longer.

By this I mean I frequently unlock my mobile for a few seconds, I don't with a tablet, I also normally want to use the tablet for a much longer peroid of time before its "GOD DAMN ****EATING SAFARI WHY YOU NO LIKE YOUR TABS?!" and I slam it in to the wall once again knowing apple fans lied to me.

As such the 'finger trail' should be much less of an issue. However this is only really for casual users, the same who often have no password.

[wasabi]

Hi helpdesk. The tablet isn't accepting my squiggle. Can you reset it.

[Funkstar]

I think this is more about preventing accidental activation rather than security. I know my Desire's slide down to unlock has been opened by just being in my pocket, a pattern would prevent this from happening, this is just a more unique way of doing a unique pattern.

[kingpotnoodle]

I think this is more about preventing accidental activation rather than security. I know my Desire's slide down to unlock has been opened by just being in my pocket, a pattern would prevent this from happening, this is just a more unique way of doing a unique pattern.

From the article:

"Microsoft says that this secondary log-in offers many more permutations than a standard password and will therefore make systems more secure, though it has acknowledged that smudges on the screen could give away passwords and suggests that users clean their screens regularly."

That is a bull**** claim. A good password has trillions of combinations (at worst say 26^8), there are not trillions of distinct points on a picture, the screen only as a few million pixels at most and it will be less discerning than individual pixel accuracy.

[miniyazz]

From the article:

"Microsoft says that this secondary log-in offers many more permutations than a standard password and will therefore make systems more secure, though it has acknowledged that smudges on the screen could give away passwords and suggests that users clean their screens regularly."

That is a bull**** claim. A good password has trillions of combinations (at worst say 26^8), there are not trillions of distinct points on a picture, the screen only as a few million pixels at most and it will be less discerning than individual pixel accuracy.

Maths fail

For starters, no-one is saying a password has to have 8 characters in it, and I'm certain many log-on passwords don't.

Anyway, take your typical (today) mobile screen @ 480x800. Say you can only select to the nearest 5x5, so 15360 possible points on the screen. Let's suppose we have three points in the password.. that gives roughly 3.6x10^12 permutations. Going back to your 8 character password example, that gives roughly 2.1x10^11 permutations.

Granted, you might argue that a typing-based password would include digit and symbol character spaces, and possibly more than 8 characters. But equally, there is no way I'm having some long complicated password like that on my phone, and probably 90% of those who have a password on their phone (rather than a swipe/pattern thing) have four digits - just 1x10^4 permutations.

From the other point of view, if this is used on laptops, you have far more screen estate to play with. On your typical 1366x768 laptop, those three points give you roughly 7.3x10^13 permutations.. contrast that with roughly 7.5x10^13 permutations for a 7 character password from upper and lower case text, numbers, and symbols*.

Given how much easier it is to increase the permutations for the pattern password (~3.1x10^23 permutations for a five point password vs ~6.1x10^23 permutations for a 12 character password encompassing upper case, lower case, digits and symbols), their argument makes some sense.

Personally I think it's less secure for the grease mark reason, I'm just playing devil's advocate.

*96 characters total, calculated from all the characters on my keyboard

[dlanijer]

cool