The Great Untapped Potential of Windows 8 Picture Passwords
Windows 8 lets you use a series of gestures to log into your PC, a minor improvement with big implications.
Fri, February 22, 2013
PC World — Love it or hate it, Windows 8 is the bellwether for PCs. Where Microsoft goes, PCs follow. And now Microsoft is making a grab for the mobile market, too. The latest version of Windows is designed with touchscreens in mind, and one bright side of that evolution is the addition of features that make Windows more intuitive and easier to use on all devices.
Windows 8 picture passwords are an example of such a feature--a new, alternative password system that most Windows 8 users aren't even aware of.
Actually, the term picture password is a bit of a misnomer. Sure, the password allows you log in to your machine using a picture instead of an alphanumeric string of characters, but what you're actually doing is sketching a custom sequence of gestures on top of a picture to verify your identity. For example, if you use a photo of a your family, you might sketch a straight line from one person's nose to the next person's nose. Calling these passwords gesture passwords would be more appropriate, but admittedly, that name doesn't have the same alliterative appeal.
Worse, highlighting the feature's similarity to the gesture-based login systems on phones and tablets could further alienate die-hard desktop owners already leery of Windows 8.A And that's a shame, because picture passwords are a nice alternative to traditional passwords and should have been integrated into PC operating systems a long time ago.
Such password aren't inherently better than your old alphanumeric passwords, but they could be a more convenient (and no less secure) way to log in to your PC.
Gestures are an alternative, not an improvement
Microsoft clearly designed picture passwords with mobile devices in mind, since trying to type a traditional 8- to 16-character alphanumeric password with a virtual keyboard is a recipe for rage. That said, the picture password feature works well enough on nontouch systems too--simply substitute your mouse for your fingertip.
Sketching a series of complex gestures takes a little longer than typing a traditional alphanumeric string on a desktop PC (long live the keyboard), but it's still easier than remembering a complex string of characters; and it's roughly equivalent in terms of security. And, arguably, picture passwords are a little more secure on desktops than on touchscreen devices, because you don't have to worry about anyone guessing your gesture password by examining your monitor for greasy fingerprints.
That last scenario may sound like something out of a trashy espionage thriller, but the threat of a "smudge attack" is real enough to warrant serious study. Researchers at the University of Pennsylvania coined the term in 2010 when they were able to successfully deduce gesture passwords used to unlock Android phones from smudge marks left on the screen. You can read the fullA study for more details, but the most important takeaway is that while gestures are faster, simpler, and more convenient to use when you're logging in to a touch-capable device, they have their own unique vulnerabilities and aren't necessarily any safer than traditional alphanumeric passwords.