We all know text-based passwords are not overly secure, so when Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8, many people chose that option. However, if you chose a photo of a person to setup your picture password and used tap, tap, tap as your gestures on the picture—with at least one of those on the eyes—then you chose the most common gesture type and facial area for picture-based authentication. It is also the most insecure and easiest to crack, according to new security research on Windows 8 PGA; the researchers also developed an attack framework and attack models.
[SLIDESHOW: 15 Tech Companies with HUGE cash piles]
After analyzing picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies, researchers found that regardless of what image you selected, your unique picture password gestures may not be so unique after all. Arizona State University, Delaware State University and GFS Technology Inc. researchers presented "On the Security of Picture Gesture Authentication" [pdf] at USENIX Security Symposium. The paper states:
Based on the ﬁndings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.
Overall, most people choose to upload one of their own photos to setup their picture gesture password, instead of using one that Microsoft provided. The researchers found that there is a relationship between background pictures and a user's identity, personality or interests with 60.3% of users selecting areas on an image where "special objects" are located. The chosen picture password images ranged from celebrity photos to system screenshots, but the most commonly chosen picture category was of people. In fact, eyes are the most frequently chosen point of interest, followed by nose, hand/ﬁnger, jaw and face.
Other users refused to use a picture of themselves, family, or friends because they believed it might "leak his or her identity or privacy" to "anyone who picks up the device." While some users chose a landscape photo because it "usually doesn't have any information about who you are," and others selected computer games posters or cartoons, the researchers said that doesn't necessarily protect your privacy. They wrote:
It is obvious that pictures with personally identiﬁable information may leak personal information. However, it is less obvious that even pictures with no personally identiﬁable information may provide some clues which may reveal
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited