Is Windows 8's picture password feature just a toy?

Microsoft made a big deal earlier this month about the picture password feature for the upcoming Windows 8 operating system. The official developers blog site for Windows 8 devoted not just one but two articles to the new system which will give users the option to combine using a picture with touch screen movements to create what Microsoft calls a highly secure password system, if used correctly.

The picture password system does have a major critic. NetworkWorld.com reports that Kenneth Weiss, the creator of the two-factor authentication system SecurID, says of the Windows 8 picture password feature, "I think it's cute. I don't think it's serious security." Later he says, "It's more like a Fisher-Price toy than a serious choice for secure computer access."

One of the problems with such a system, according to Weiss, is that video cameras could record a person making the movements needed to unlock Windows 8, even from a distance. In a normal password system, the characters on the screen are replaced by dots when typed in by the user, making the act of recording such actions with a video camera more difficult.

Microsoft's Jeff Johnson does state in the second picture password post on the Windows 8 blog site, "As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in." He adds, "Keep your computer in a secure location where unauthorized people do not have physical access to it.  As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen."

Weiss also claims that backing up such a picture password system would be hard. He states, "To put down a description of the sequence is possible, but that's a lot of writing."

Report a problem with article
Previous Story

Microsoft to remove all gun avatar items from Xbox Live?

Next Story

Anonymous takes credit for new cyber attack

58 Comments

Commenting is disabled on this article.

From what i saw in developer version of Windows 8 ---> Ubuntu 11.10 owns it in every sense. Infact i don't ****ing even use Windows nowdays, only for gaming. Everything else Ubuntu!

Do they think that someone who is using i don't know 24" or 27" inch monitor to smudge their screen before playing BF3. If i see someone touching my LCD with dirty fingers he/she along with monitor is going out of window.

When i said PC is is not a table or phone i am saying that these feature have no place for desktop operating system. Microsoft is mixing apples and oranges. I never considered Tablets and PC the same, infact Tablets don't have enough power PC have, not even remotely close to...in fact it is pretty useless crap from any point of view unless you gonna use it to take some notes, check web sites or just have it and think that you look cool.

Microsoft is wasting time developing things for the very small market, which really doesn't add any value but adds more bloated crap there.

This is all cool as long as MS gives ability end user to customize Windows as they see fit meaning, option to remove any install of crap like this, Metro and similar things. MS is not thinking outside of the box at all.

Picture password for machines carrying highly sensitive data? No
Picture password for machines that you might carry into a coffee shop or use on your couch? Yes

Another cutesy gimmick for Windows 8. It certainly doesn't add any more security than what is already available. Why isn't Microsoft focusing on the core tasks of the new OS, instead of a lot of peripheral "flash and sizzle?"

It may be a "toy" to them, but for me, I think that is an useful feature.

And, if the user can't remember where he put the lines on the picture in order to unlock, then that's his own fault.

Picture passwords are in the same boat as Google's facial recognition or weak text passwords: there's no way they can be considered secure, but might come handy where strong security is not a real concern.

I we talk about recording the password input, keyboard typing can be recorded as well (although it's still easier for they typical office security camera to record your screen than your keyboard).

ichi said,
Picture passwords are in the same boat as Google's facial recognition or weak text passwords: there's no way they can be considered secure, but might come handy where strong security is not a real concern.

I we talk about recording the password input, keyboard typing can be recorded as well (although it's still easier for they typical office security camera to record your screen than your keyboard).

Exactly. It's 100% Gimmick. I have a Samsung Galaxy Nexus and I would never use the face unlock feature for security. I just use it to show it off to friends.

This is a toy and IT departments won't allow it. I can't see it being any safer or more useful than a normal password. Imagine helping an older person with a password like this??

OK Doris, did you start by taping on the left ear or the right eyeball? Maybe the left nostril?

derekaw said,
This is a toy and IT departments won't allow it. I can't see it being any safer or more useful than a normal password. Imagine helping an older person with a password like this??

And wouldn't those same IT departments hate SecurID for the same reasons -not to mention the cost?

That is the biggest reason why two-factor implementation is loathed in all of IT - the cost of implementation. (The same can be said of all security measures - even simple ones like passwords.) Nobody cares about security - until after the break-in.

OK Doris, did you start by taping on the left ear or the right eyeball? Maybe the left nostril?

Even if someone saw your picture password in a Starbucks cafe, so what? They would still have to STEAL your tablet! Think of all the bad things that have to happen for this to matter!

Now for a fixed workstation it's not a real issue because it's either at home or work and I trust that password security is not as important in those environments compared to being in a cafe.

KingCrimson said,
Even if someone saw your picture password in a Starbucks cafe, so what? They would still have to STEAL your tablet! Think of all the bad things that have to happen for this to matter!

Now for a fixed workstation it's not a real issue because it's either at home or work and I trust that password security is not as important in those environments compared to being in a cafe.

So that basically means that you don't really need a password at all, doesn't it? A "swipe to unlock" kind of thing would do.

I think that the real reasoning that the commenter hates the different form of two-factor identificaiton is rather simple and obvious - it competes with his (expensive) offering. Remember, SecurID is not exactly cheap to implement. Now, two-factor is about to go from expensive to near-ubiquitous - what happens to the value of what the company is trying to sell (and to the commenter's holdings, if any, in that company)?

"Weiss also claims that backing up such a picture password system would be hard. He states, "To put down a description of the sequence is possible, but that's a lot of writing."

Isn't that the point? Picture passwords are supposed to be secure due to the combinatorics but easy to remember so you don't have to write it down, thus making it even more secure. So more secure than a password, easier to remember, and easier to input on a tablet. What's the problem here? Someone might video tape you entering it? Better look out big brother is watching you. What kind of security expert thinks being able to write down passwords is an essential feature? Can't write down a SecurID code (well you could but it wouldn't do you much good).

Nick Kessler said,
"Weiss also claims that backing up such a picture password system would be hard. He states, "To put down a description of the sequence is possible, but that's a lot of writing."

Isn't that the point? Picture passwords are supposed to be secure due to the combinatorics but easy to remember so you don't have to write it down, thus making it even more secure. So more secure than a password, easier to remember, and easier to input on a tablet. What's the problem here? Someone might video tape you entering it? Better look out big brother is watching you. What kind of security expert thinks being able to write down passwords is an essential feature? Can't write down a SecurID code (well you could but it wouldn't do you much good).

I agree picture passwords are a boon in these days where IT departments are requiring strongly named passwords. Who can remember them? I remember mine for work but I'm an engineer so I'm special, but the average person will have a hard time remembering a sequence of upper-case/lower-case with numbers and symbols password.

FMH said,
Video camera can see any type of password entry.
It can even tell whether you're stripping!

People have to be warned.. or else some super villain sneaker might steal their cooking recipes, unpublished blog entries, and to-do lists.

brianshapiro said,

People have to be warned.. or else some super villain sneaker might steal their cooking recipes, unpublished blog entries, and to-do lists.

Exactly my point. Thanks for phrasing it so well.

Video cameras can do anything. And no matter what type of password input you have, it doesn't matter.

FMH said,

Exactly my point. Thanks for phrasing it so well.

Video cameras can do anything. And no matter what type of password input you have, it doesn't matter.

Yea I'm making fun of how frivolous the concern is Basically the author is saying that any security that doesn't meet the needs of the NSA is a "toy"...

brianshapiro said,

Yea I'm making fun of how frivolous the concern is Basically the author is saying that any security that doesn't meet the needs of the NSA is a "toy"...


So I guess that means any product from SecurID is a, "toy." xD

I don't think most people are going to need to worry about somebody videotaping them using their computer. This isn't "Sneakers" and you aren't Martin Brice. And for a lot of people, especially tablet users, this will be a better choice than keyboard input.

If the camera can see someone inputting their gesture password wouldn't it be the same if they typed their password as of now? Pretty stupid argument if you ask me.

This was a non-story when it was first reported around the web days ago. Regurgitating someone else's story days late is just sad. Can we please have a decent source of news or none at all?

yowan said,
Windows 8 itself is rather more like a 'toy' than a real OS.
It's a fun toy that I'll be able to play with at home, at work, in my pocket, and on my e-reading tablet... so I say a lot of people will be getting this toy.

Haha, I just commented with (I'm not creative enough to come up with a real comment) and neowin changed it to "I'm not creative enough to come up with a real comment" - I like this feature, good work neowin

duddit2 said,
Haha, I just commented with (I'm not creative enough to come up with a real comment) and neowin changed it to "I'm not creative enough to come up with a real comment" - I like this feature, good work neowin

nvm haha

WinA said,
I'm not going to upgrade to WIn8 i will stick with Win7.

I'm not creative enough to come up with a real comment

WinA said,
I'm not going to upgrade to WIn8 i will stick with Win7.

You didn't even see the beta but you've already decided that? Ok.

Greenix said,

You didn't even see the beta but you've already decided that? Ok.

When i saw Windows 7 early alpha build i was like "OMG! This gonna be the best OS so far" and i was right.

But when i saw all this WIN8 screenshots i know is going to be crap.

WinA said,
I'm not going to upgrade to WIn8 i will stick with Win7.

Why not just go back to XP? Sounds like you're the type of person who would still be on XP anyway.

techguy77 said,
Dear Microsoft, A PC is not phone or tablet.

WTF does that have 2 do w/ picture passwords? Are u just gonaa say this every time someone has the slightest chance of mentioning Win 8? & did u even bother reading the last time I replied to you saying this?

techguy77 said,
Dear Microsoft, A PC is not phone or tablet.

This is the second time I've seen you post the same exact thing. You need to grow up kid.

techguy77 said,
Dear Microsoft, A PC is not phone or tablet.

Tablets and PCs will be the same thing once Windows 8 is released. What's wrong with the idea of carrying your PC around with you and then coming home and placing it in a dock with a mouse and keyboard? I think that's rather exciting!

Meph said,

Tablets and PCs will be the same thing once Windows 8 is released. What's wrong with the idea of carrying your PC around with you and then coming home and placing it in a dock with a mouse and keyboard? I think that's rather exciting!

That's a minor marketshare on consumer, more relevant for business. Meaning if I'm in an enterprise, it would be useful to have a Windows 8 tablet that I could use as a tablet in a meeting then come back to my desk and plug it in to a docking station and it becomes my desktop PC even if not using the screen itself just the PC with external monitor.

Meph said,

Tablets and PCs will be the same thing once Windows 8 is released. What's wrong with the idea of carrying your PC around with you and then coming home and placing it in a dock with a mouse and keyboard? I think that's rather exciting!

Actually Windows Tablets and PCs have always been the same.........

Fritzly said,
Actually Windows Tablets and PCs have always been the same.........

But this time, they mean it. It's not the shabby attempt at tablets that it was before.

It's certainly more memorable than a bunch of characters.

And if an attacker is in the position to surreptitiously place a camera pointed at your screen, he is in the position to place a camera pointed at your keyboard. Physical security is the best kind.