Skip Links

Researchers develop attack framework for cracking Windows 8 picture passwords

Your unique picture gesture password for Windows 8 just got easier to crack.

By Ms. Smith on Thu, 09/05/13 - 11:41am.

We all know text-based passwords are not overly secure, so when Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8, many people chose that option. However, if you chose a photo of a person to setup your picture password and used tap, tap, tap as your gestures on the picture—with at least one of those on the eyes—then you chose the most common gesture type and facial area for picture-based authentication. It is also the most insecure and easiest to crack, according to new security research on Windows 8 PGA; the researchers also developed an attack framework and attack models.

[SLIDESHOW: 15 Tech Companies with HUGE cash piles]

After analyzing picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies, researchers found that regardless of what image you selected, your unique picture password gestures may not be so unique after all. Arizona State University, Delaware State University and GFS Technology Inc. researchers presented "On the Security of Picture Gesture Authentication" [pdf] at USENIX Security Symposium. The paper states:

Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Picture Gesture Authentication on Windows 8Overall, most people choose to upload one of their own photos to setup their picture gesture password, instead of using one that Microsoft provided. The researchers found that there is a relationship between background pictures and a user's identity, personality or interests with 60.3% of users selecting areas on an image where "special objects" are located. The chosen picture password images ranged from celebrity photos to system screenshots, but the most commonly chosen picture category was of people. In fact, eyes are the most frequently chosen point of interest, followed by nose, hand/finger, jaw and face.

Other users refused to use a picture of themselves, family, or friends because they believed it might "leak his or her identity or privacy" to "anyone who picks up the device." While some users chose a landscape photo because it "usually doesn't have any information about who you are," and others selected computer games posters or cartoons, the researchers said that doesn't necessarily protect your privacy. They wrote:

It is obvious that pictures with personally identifiable information may leak personal information. However, it is less obvious that even pictures with no personally identifiable information may provide some clues which may reveal