Windows 8 picture passwords: Their great untapped potential

Windows 8 lets you use a series of gestures to log into your PC, a minor improvement with big implications.

Love it or hate it, Windows 8 is the bellwether for PCs. Where Microsoft goes, PCs follow. And now Microsoft is making a grab for the mobile market, too. The latest version of Windows is designed with touchscreens in mind, and one bright side of that evolution is the addition of features that make Windows more intuitive and easier to use on all devices.

Windows 8 picture passwords are an example of such a feature--a new, alternative password system that most Windows 8 users aren't even aware of.

Actually, the term picture password is a bit of a misnomer. Sure, the password allows you log in to your machine using a picture instead of an alphanumeric string of characters, but what you're actually doing is sketching a custom sequence of gestures on top of a picture to verify your identity. For example, if you use a photo of a your family, you might sketch a straight line from one person's nose to the next person's nose. Calling these passwords gesture passwords would be more appropriate, but admittedly, that name doesn't have the same alliterative appeal.

Worse, highlighting the feature's similarity to the gesture-based login systems on phones and tablets could further alienate die-hard desktop owners already leery of Windows 8. And that's a shame, because picture passwords are a nice alternative to traditional passwords and should have been integrated into PC operating systems a long time ago.

Such password aren't inherently better than your old alphanumeric passwords, but they could be a more convenient (and no less secure) way to log in to your PC.

Gestures are an alternative, not an improvement

Microsoft clearly designed picture passwords with mobile devices in mind, since trying to type a traditional 8- to 16-character alphanumeric password with a virtual keyboard is a recipe for rage. That said, the picture password feature works well enough on nontouch systems too--simply substitute your mouse for your fingertip.

Sketching a series of complex gestures takes a little longer than typing a traditional alphanumeric string on a desktop PC (long live the keyboard), but it's still easier than remembering a complex string of characters; and it's roughly equivalent in terms of security. And, arguably, picture passwords are a little more secure on desktops than on touchscreen devices, because you don't have to worry about anyone guessing your gesture password by examining your monitor for greasy fingerprints.

That last scenario may sound like something out of a trashy espionage thriller, but the threat of a "smudge attack" is real enough to warrant serious study. Researchers at the University of Pennsylvania coined the term in 2010 when they were able to successfully deduce gesture passwords used to unlock Android phones from smudge marks left on the screen. You can read the full study for more details, but the most important takeaway is that while gestures are faster, simpler, and more convenient to use when you're logging in to a touch-capable device, they have their own unique vulnerabilities and aren't necessarily any safer than traditional alphanumeric passwords.

We're likely to see a rash of new hacking techniques targeted specifically at touchscreen PCs, so if you're going to add a gesture password to your Windows 8 PC, make sure it's a good one.

How to create a strong picture password

Thankfully, setting up a picture password in Windows 8 is child's play. Just remember that you need to have a locally accessible image to use as the foundation of your picture password before you begin. You also need an alphanumeric password linked to your account in case of emergency, so make sure it's something strong. If the picture password feature fails for any reason, or if you simply forget the gestures you've chosen, you can use your plain-text password to log in to your system.

First, press the Win-W key combination and search for Picture Password. Under the Settings category of results, you should find an entry for Change to create picture password; launching that wizard is the first step in creating your custom picture password.

When the picture password wizard first opens, you're greeted with a big ol' page of PC Settings. Click the Create picture password button about halfway down the page. If you haven't already assigned a plain-text password to your account, you must take care of that before Windows 8 will allow you to continue.

After clicking the 'Create picture password button, you'll be asked to enter your plain-text password. Once Windows 8 verifies that you are who you say you are, you must sit through a quick animation that explains the types of gestures you can assign to your picture. In short, you can use any combination of three taps/clicks, straight-line drags, and/or circles.

Click the Choose picture button, browse to your preferred image directory, and choose the image you'd like to use as a base for your gestures. The picture is the only thing you'll see when logging in, so try to pick an image with a resolution sufficient that the image remains attractive when splayed across your screen. Once you select the image, you're asked to position it on-screen; simply drag the image to your desired location and click the Use this picture button.

Time to start gesturing. This process is obviously designed for touchscreen PCs and tablets, but it works with a mouse as well. Remember the order and direction of all of the gestures you drew on the screen; if you draw a line from left to right in the image, for example, you'll also have to draw the line from left to right when unlocking your system.

For maximum security, avoid taps and use circles and lines exclusively. These gestures are harder to guess because they incorporate both positional data and directional data, so an unauthorized user would need to correctly deduce the start point, end point, and direction of your gesture. Every security expert we spoke to about this process cautioned against using gestures that follow the contours of the image in predictable ways, like circling faces or drawing lines between landmarks. Instead, pick an image with strong contrast to create bright reference points, and come up with a creative, convoluted series of gestures to make your password extra strong.

Once you've finished doodling your new password, you should be ready to rock. Window 8 defaults to the picture password anytime the system is locked or restarted, and ideally all you have to do is draw your gestures on screen to unlock the system.

If you want to switch gears and input your plaintext password instead, just tap the corresponding button in the left pane of the picture password screen. You should also be aware that picture password logins can be disabled from within the Windows 8 group policy editor; many businesses do not allow picture passwords to be used on networked machines for security reasons, so be prepared for that if you plan to bring your Windows 8 device to work.

Join the CSO newsletter!

Error: Please check your email address.

Tags Windows 8MicrosoftsecurityWindowssoftwareoperating systems

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alex Wawro and Marco Chiappetta

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts