Thursday, 24 April 2014

Windows 8: introducing picture passwords

Windows 8: introducing picture passwords
By Matt Farrington-Smith
Windows 8: introducing picture passwords
Forget trying to remember a complicated text password - Windows 8 introduces a different way of protecting your computer... the picture password.
A new form of password security is being introduced in Windows 8 - picture passwords. But what are they, why use them, and how do they work? Here's all the answers...
Why picture passwords?
Why introduce picture passwords in the first place? Steven Sinofsky - Microsoft's President of Windows Division - explained in a blog post: "One of the neat things about the availability of a touch screen is that it provides an opportunity to look at a new way to sign in to your PC... Providing a fast and fluid mechanism to sign in with touch is super important, and we all know that using alpha passwords on touch-screen phones is cumbersome."
What is a picture password?
A Windows 8 picture password involves drawing three gestures on a picture of your choice. Instead of having to pick from a generic set of Microsoft images, it is up to the user to select a memorable photo.
When drawing the gestures, you are free to use any combination of circles, straight lines or taps.
It is important to remember the size, position and direction of your gestures (and the order in which you make them) as they all form part of your picture password. You will need to redraw these same gestures whenever you log onto your Windows 8 device.
A visual representation of the picture password scoring function.
On the science behind the new method:
When you attempt to sign in with picture password, Windows evaluates the gestures you provide, and compares the set to the gestures you used when you set up your picture password. Windows then looks at the difference between each gesture and decides whether to authenticate you based on the amount of error in the set.
If a gesture type is wrong - it should be a circle, but instead it's a line - authentication will always fail. When the types, ordering, and directionality are all correct, Windows looks at how far off each gesture was from the ones it saw before, and decides if it's close enough to authenticate you.
Not for everyone
Microsoft recognises that this new password system isn't for everyone as Program manager - Zach Pace, explains:
"Although we're very happy with the robustness of a picture password, we know that there are a variety of businesses for which security is paramount, and anything less than a full password is unacceptable. As such, we've implemented group policy that gives a domain administrator the freedom to choose whether picture password can be used. And of course, on your home PC, picture password is optional as well."
Choosing a picture password
As with all forms of authentication there are a number of best practices to follow when it comes to choosing a password.
In a further blog post Jeff Johnson, the Director of Development, offers password guidance and states some of the reasons why this new security measure is a robust solution.
"It is also interesting to compute the odds of an attack succeeding in various scenarios... Gestures are based on a 100 x 100 grid, giving even the simplest gesture (the tap) a potential of 10,000 values (given proximity matching, this number is effectively reduced to 270). In reality, the number of points of interest (POI) is much lower than that - there are only so many memorable locations in a given photograph."
"We assume that taps are directly on a POI, circles only come in two sizes (say, small around the point, and larger around the point) and two directions (clockwise and counterclockwise), and lines always connect two POIs. Because this isn't strictly true, the number of permutations is actually even greater."
Picture password tips
Pick a photo that has at least 10 points of interest. A point of interest is an area that can serve as a landmark for a gesture - a point that you would touch, places you would connect with a line, an area you would circle.
Use a random mixture of gesture types and sequence. If you choose to use a tap, a line, and a circle, randomly choose the order of those gestures; this creates 6 times the number of combinations as a predictable order. And always be aware that smudges left on the screen by your finger could potentially identify your gestures.

It's up to you...
At this juncture it is important to remember that Windows 8 has not been designed exclusively for touch screens and tablets. Yes, it will support touch devices, but a classic Windows can also be found nestling inside. It's just a question of how you want to use Windows 8.

No comments:

Post a Comment

thank you for your precious time and feedback.