The “picture passwords” used in Windows 8 machines are more vulnerable than Microsoft hoped, a research team claims. An analysis of more than 10,000 picture passwords found that a significant percentage could be cracked – due to the predictable “points of interest” that users chose.
The “gesture” passwords allow users to pick points in an image, instead of using a text-based password.
People tend to choose faces, colourful points and eyeglasses, so it’s often possible to “guess” such passwords, the team from Arizona State University and Delaware State University say, as reported by Information Week. The team developed algorithms which could crack picture passwords with a high success rate.
In a paper presented at the Usenix Conference this month, “On the Security of Picture Gesture Authentication,” the reseearchers, computer science doctoral student Ziming Zhao and computer science master’s degree student Jeong-Jin Seo, along with Hongxin Hu, now an assistant professor of at Delaware State University, found that people’s choice of “gesture” password tended to follow patterns.
“By analying the collected passwords, we notice that subjects frequently chose standout regions (points of interest, PoIs) on which to draw,” the researchers say. “Only 9.8% subjects claimed to choose locations randomly without caring about the background picture. 60.3% of subjects prefer to find locations where special objects catch their eyes while 22.1% of subjects would rather draw on special shapes.”
“Our approach cracked 48.8% passwords for previously unseen pictures in one of our datasets,” the researchers say. Ahn’s team developed algorithms that could identify the points of interest which users were likely to choose for password patterns.
“Based on the user habits and patterns we created a ranked pattern dictionary,” he explains. Ahn created “password strength meters” – similar to those used on websites to rank typed passwords – to categorize picture passwords.
Ahn suggests, according to Information Week, that Microsoft could adopt such an approach – pointing out that even in Windows 8 adverts, users are selecting obvious, and easily guessable, “points of interest”.
“Our approach was able to crack a considerable portion of picture passwords in various situations,” the researchers write. “We believe the findings and attack results could advance the understanding of background draw-a-secret and its potential attacks.”
Author Rob Waugh, We Live Security