Though it's common not to have a password on a home computer, and some even skip it on their personal mobile devices, it's the first and most important barrier protecting a company's data. Windows 8 will provide a number of ways of securing your password, and Microsoft recently talked more about a feature called Picture Password as a new way to authenticate without standard passwords and pins. Will this feature have your business tapping and drawing its way to more secure devices?
Traditionally, authenticating to a device involves typing in a password or PIN. Unfortunately, users tend to choose passwords that are easy to remember, or using characters that they relate to. This makes it easier for attackers who know something about you to guess passwords. Character-based passwords are also vulnerable to keylogging, where malware installed on the device can detect the specific keystrokes and easily reproduce them.
A newer authentication technique involves drawing on a device's touchscreen. Google has a patent pending on its Android pattern-based unlock screen, in which you connect dots in a nine-dot grid. A drawback of this method is that it tends to leave smudges on the screen, so that an attacker with possession of the device could see the pattern.
Microsoft's Picture Password for the upcoming Windows 8 was designed to avoid the issues that accompany keyboard and pattern-based passwords. The technique starts with you providing a picture. You can position the picture as you like, and are then prompted to make gestures on the picture that become your authentication signature. There are three gesture types you can use; a tap, a circle, and a line. In a demo video at the bottom of this Windows blog post, the demonstrator draws a picture around his father's head, connects his sister's noses with a line, and taps on his mother's nose.
Each gesture you make must be in the correct order and proper position, and have the proper directionality. While a single tap isn't very secure, offering only 270 acceptable inputs, using eight taps increases the options to over 13 quadrillion inputs. Circles are even more complex, with seven circles providing almost one quintillion options.
The point of Picture Password is not just to increase the complexity of passwords, but to provide a secure login that is faster than on a touch keyboard. With as few as three gestures, a Picture Password can still provide over one trillion combinations, compared with 81,120 for character-based, and 1,000 for numeric, while still taking an average of less than four seconds to complete.
Pictures Password still requires a touchscreen, though Microsoft mentions that it can be utilized with a mouse. So, aren't smudges still a problem? Yes, you're still likely to leave smudges on your screen when entering a Picture Password. But, even if your screen were perfectly clean and three gestures were clearly visible on it, order and directionality complicate its replication. Those three specific gestures still have over one billion possible combinations.
Useful to Business?
Picture Password is not a replacement for the traditional text-based password. In fact, you'll need to enter your password before creating a Picture Password, or if that password is attempted five times incorrectly. Nor will it protect you from someone looking over your shoulder while you log in.
So, will this be useful for Windows 8? On mobile touchscreen devices, its combination of a personalized picture and a higher level of security should make it a desirable and possibly mandatory feature. But, with most business desktops and laptops not having touchscreens, it's far less likely to be used in the office, where standard passwords will still rule.