Windows 8 Update: Picture passwords not so terribly insecure, researcher says
- — 09 September, 2013 18:04
The security of Windows 8 picture passwords might not be as weak as some recent headlines indicate, and there are ways to maximize how hard they are to crack, researchers say.
Unlocking a Windows 8 machine by tapping points, circling objects and drawing lines over an image on a touchscreen is no less secure than using a four-digit PIN to secure a cell phone's SIM card, says Sophos researcher Paul Ducklin on the NakedSecurity blog.
And by following advice issued by Microsoft itself picture passwords can be made significantly more secure.
The issue came up when researchers at the Usenix Security Symposium proposed a scheme improving attackers' odds of defeating the picture passwords, and flashy headlines about the paper said the research found that picture passwords were easily cracked.
Picture password security admittedly can be not-so-great, Ducklin notes, depending on how many gestures are used and how many points of interest the security picture contains. A point of interest is an area in a picture such as a face, animal, building etc. that people may commonly choose to include in the password by tapping, circling or drawing a line to.
Microsoft has developed a formula for figuring out how many possible passwords can be squeezed out of a single image based on the number of gestures and points of interest - (m . (1+2 . 5 + (m -1)))n , where m is the number of points of interest in the photo and n is the number of gestures in the picture password. So the more points of interest in the picture and particularly the number of gestures can significantly increase the possibilities and hence the security.
Also, the types of gestures chosen can increase the difficulty of mimicking them. A circle is more difficult than a tap and a line is more difficult than a circle, Microsoft researchers say. So a password with five gestures, all taps, would be easier to guess than one with five gestures, all lines.
To discourage brute force attacks against picture passwords, the system defaults to a traditional text password after five failed attempts with gestures.
Surface Pro Power Cover
Dubbed Power Cover, the device would contain a battery of its own that would connect via the magnetic keyboard dock doubling the battery time of Surface Pro. The report says Power Cover doesn't work with Surface RT.
The new device employs the same typing technology as the current Type keyboard, whose keys actually depress slightly and click when tapped. Microsoft also offers a Touch keyboard that is flat and responds to finger pressure but the keypads don't actually move.
Power Cover will work with the current Surface Pro, which features power contacts on it docking surface that are not currently used, as well as with the next-generation Surface RT (to be known as Surface 2) and the next-generation Surface Pro (to be known as Surface Pro 2). At 1.1 pounds it weighs twice as much as the current Touch keyboard.The battery life of the next generation of Surface Pros is likely to improve even without the new keyboard/cover because it will be based on the power-miserly Haswell chip.
There's no pricing yet and the new keyboard is expected to ship by the end of the year.
Surface Pro 2
The upcoming version of Surface Pro will have the Haswell chip as noted above, but will also boast other improvements.
According to Thurott, Microsoft will offer a RAM option of 8GB in addition to the current 4GB. And the device will have a kickstand to prop up the device that locks in two positions rather than just one.
Microsoft is buying up the Nokia and Lumia names with its purchase of Nokia's phone division, but won't be using them, according to a Q&A with Nokia marketing chief Tuula Rytilä.
"On smartphones, we'll be seeking to create a unified brand across Lumia and Windows," she says, but doesn't say what that brand will be.
It would be in keeping with Microsoft marketing to drop the Surface name onto the phones, furthering the company's effort to get customers to think of phones, tablets, laptops and PCs as all part of the same ecosystem and giving some unification to the company's product-naming convention.
Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at email@example.com and follow him on Twitter @Tim_Greene.
Read more about software in Network World's Software section.