Windows 8 Update: Picture passwords not so terribly insecure, researcher says

The security of Windows 8 picture passwords might not be as weak as some recent headlines indicate, and there are ways to maximize how hard they are to crack, researchers say.

Unlocking a Windows 8 machine by tapping points, circling objects and drawing lines over an image on a touchscreen is no less secure than using a four-digit PIN to secure a cell phone's SIM card, says Sophos researcher Paul Ducklin on the NakedSecurity blog.

ENTERPRISE:Dell sticks with Windows 8 for business tablets 

SO SORRY:10 Sorriest Technology Companies of 2013 

And by following advice issued by Microsoft itself picture passwords can be made significantly more secure.

The issue came up when researchers at the Usenix Security Symposium proposed a scheme improving attackers' odds of defeating the picture passwords, and flashy headlines about the paper said the research found that picture passwords were easily cracked.

Picture password security admittedly can be not-so-great, Ducklin notes, depending on how many gestures are used and how many points of interest the security picture contains. A point of interest is an area in a picture such as a face, animal, building etc. that people may commonly choose to include in the password by tapping, circling or drawing a line to.

Microsoft has developed a formula for figuring out how many possible passwords can be squeezed out of a single image based on the number of gestures and points of interest - (m . (1+2 . 5 + (m -1)))n , where m is the number of points of interest in the photo and n is the number of gestures in the picture password. So the more points of interest in the picture and particularly the number of gestures can significantly increase the possibilities and hence the security.

Also, the types of gestures chosen can increase the difficulty of mimicking them. A circle is more difficult than a tap and a line is more difficult than a circle, Microsoft researchers say. So a password with five gestures, all taps, would be easier to guess than one with five gestures, all lines.

To discourage brute force attacks against picture passwords, the system defaults to a traditional text password after five failed attempts with gestures.

Surface Pro Power Cover

It's been rumored since early this year but now it seems a Surface Pro keyboard that contains a supplemental battery is actually being worked on, according Paul Thurrott's Windows Supersite.

Dubbed Power Cover, the device would contain a battery of its own that would connect via the magnetic keyboard dock doubling the battery time of Surface Pro. The report says Power Cover doesn't work with Surface RT.

The new device employs the same typing technology as the current Type keyboard, whose keys actually depress slightly and click when tapped. Microsoft also offers a Touch keyboard that is flat and responds to finger pressure but the keypads don't actually move.

Power Cover will work with the current Surface Pro, which features power contacts on it docking surface that are not currently used, as well as with the next-generation Surface RT (to be known as Surface 2) and the next-generation Surface Pro (to be known as Surface Pro 2). At 1.1 pounds it weighs twice as much as the current Touch keyboard.The battery life of the next generation of Surface Pros is likely to improve even without the new keyboard/cover because it will be based on the power-miserly Haswell chip.

There's no pricing yet and the new keyboard is expected to ship by the end of the year.

Surface Pro 2

The upcoming version of Surface Pro will have the Haswell chip as noted above, but will also boast other improvements.

According to Thurott, Microsoft will offer a RAM option of 8GB in addition to the current 4GB. And the device will have a kickstand to prop up the device that locks in two positions rather than just one.

Surface Phone?

Microsoft is buying up the Nokia and Lumia names with its purchase of Nokia's phone division, but won't be using them, according to a Q&A with Nokia marketing chief Tuula Rytilä.

"On smartphones, we'll be seeking to create a unified brand across Lumia and Windows," she says, but doesn't say what that brand will be.

It would be in keeping with Microsoft marketing to drop the Surface name onto the phones, furthering the company's effort to get customers to think of phones, tablets, laptops and PCs as all part of the same ecosystem and giving some unification to the company's product-naming convention.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosDellsecurityMicrosoftWindowssoftwareoperating systems

More about DellMicrosoftNokiaSophosTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts