Windows 8 Picture Passwords Easy to Crack, say Researchers

[exfileme]

Researchers have found a way to get past Picture Gesture Authentication.

Windows 8 Picture Passwords Easy to Crack, say Researchers : Read more

 

[DRosencraft]

I would say the first obvious step would be to require more than just three points of interest for the gesture entry. I don't know that you really need a research paper to point out that someone who is lazy about their password settings is going to pick the three most noticeable spots on the picture. Having five or six points should help a significant amount.

Further from that, however, alpha numeric passwords still seem to be the most logical and functional password protection so long as the user is smart about it and not putting in the obvious strings (QWERTY, 12345, Password, etc.).

But, this is mostly a moot point anyway since I don't know that most criminals are bothering with trying to crack your Windows password. I suspect that this story is meant less about Windows specifically, and more as a general warning to any company looking to use gesture input as an authentication method for any type of account (i.e bank, credit cards).

 

[althaz]

If a password has only 7-8 digits it's the exact opposite of secure. 12+ characters are a requirement for a secure password (there's a lot more, but 8 or less characters is absolutely worthless as it can be easily brute forced, which isn't realistically feasible for 12 character passwords yet).

 

[John Bauer]

Still took longer to crack than the iPhone's fingerprint scanner.

 

[Bloob]

So basically the problem is between the screen and the chair, as always.

 

[jalek]

The NSA supports this.

 

[Guest]

I find it rather silly to first use 800 subjects to study their patterns and then execute ill intent conclusions.

Firstly, if anyone with ill intention had access to 800 Win 8 machines why in their right mind would they care to crack a password. This is like saying that 60% of 800 bank customers use a pin consisting of "1234", and then go on to conclude that bank X has a poor security system. If a crook knew that there is a 60% chance that a bank debit card has 1234 pin then why would the crooks resort to steeling pin codes with various contraptions.

 

[Grandmastersexsay]

Log on passwords are relics of a bygone era when multiple people used one computer. Today, one person uses multiple computers. Most work computers are actually company issued laptops that are brought home each day.

Log on passwords are useless and ineffective. If you are one of the few people today who leave their computer vulnerable to physical attack, you would be better served with a drive encryption based password setup.

For the other 99% of us I recommend auto login. If your computer gets stolen, the criminal doesn't care about your work projects that you should have backed up anyway or your minecraft saves. Anyone who keeps sensitive information on their computer or information they can't easily replace is doing it wrong, and will probably get screwed over by a virus long before a physical attack on their computer would.

 

[_Cosmin_]

Just because anyone can guess your "special objects" on login image of Kate Upton naked... does not mean that login system has a flaw!

 

[apache_lives]

not as if passwords are secure either - normal Windows passwords can be stripped in under two minutes (XP - 8.1), Windows XP password protection is a joke

 

[juan83]

jajajajajaja how much cost this new windows OS?

 

[husker]

The windows password is not meant to be the final word in security. It is simply a "reasonable" attempt to keep prying eyes out of your stuff. Just like the lock on your front door is a reasonable attempt at keeping burglars out, they can always break a window (ha!) and get in. There are many other options you can pay for to suit your higher security needs.

 

[Solandri]

I find it rather silly to first use 800 subjects to study their patterns and then execute ill intent conclusions.

This is one of the counter-intuitive results of the math behind statistics. The accuracy of a sample depends only on the sample size, not the size of the sample relative to the population (for populations substantially larger than the sample).
http://en.wikipedia.org/wiki/Margin_of_error

A sample size of 800 gives you a 4.5% margin of error with a 99% confidence interval. That is, you can be 99% sure that the occurrence of a behavior in the general population is within 4.5% of the rate it occurs in the sample of 800. If 60% of the 800 people were choosing these areas of the picture, then you can be 99% sure that 55.5% - 64.5% of the general population is doing the same thing.