December 21, 2011, 4:14 PM — Though it's common not to have a password on a home computer, and some even skip it on their personal mobile devices, it's the first and most important barrier protecting a company's data. Windows 8 will provide a number of ways of securing your password, and Microsoft recently talked more about a feature called Picture Password as a new way to authenticate without standard passwords and pins. Will this feature have your business tapping and drawing its way to more secure devices?
Traditionally, authenticating to a device involves typing in a password or PIN. Unfortunately, users tend to choose passwords that are easy to remember, or using characters that they relate to. This makes it easier for attackers who know something about you to guess passwords. Character-based passwords are also vulnerable to keylogging, where malware installed on the device can detect the specific keystrokes and easily reproduce them.
A newer authentication technique involves drawing on a device's touchscreen. Google has a patent pending on its Android pattern-based unlock screen, in which you connect dots in a nine-dot grid. A drawback of this method is that it tends to leave smudges on the screen, so that an attacker with possession of the device could see the pattern.
Microsoft's Picture Password for the upcoming Windows 8 was designed to avoid the issues that accompany keyboard and pattern-based passwords. The technique starts with you providing a picture. You can position the picture as you like, and are then prompted to make gestures on the picture that become your authentication signature. There are three gesture types you can use; a tap, a circle, and a line. In a demo video at the bottom of this Windows blog post, the demonstrator draws a picture around his father's head, connects his sister's noses with a line, and taps on his mother's nose.
Each gesture you make must be in the correct order and proper position, and have the proper directionality. While a single tap isn't very secure, offering only 270 acceptable inputs, using eight taps increases the options to over 13 quadrillion inputs. Circles are even more complex, with seven circles providing almost one quintillion options.