The math behind Windows 8's picture passwords

In bringing what was traditionally a desktop operating system into the mobile space, Microsoft went ahead with cooking up an interesting scheme for logging into a Windows 8 tablet (or if you're really inclined, a laptop or desktop) - using your favorite photos as a password.

Where others have settled with drawing lines on a grid, Windows 8's picture passwords offer you a triple combination of taps, circles, and lines on your photo. Not so surprising are the strength of picture passwords compared to PIN numbers, but as Microsoft explains on the Building Windows 8 blog, it beats complex text passwords as well.

How does this work? Gestures are tracked along an invisible grid that is scaled according to the size of the screen. The grid is divided into 100 square units along its longest edge, and scaled accordingly to fill the shorter edge - as an example, a 1366x768 screen with a photograph taking up roughly 80% of the screen will have a 100x70 grid.

When logging in, the OS compares the distance between the gestures recorded as part of the picture password setup process, and those done while attempting a login. The following grid shows the "accuracy" of a gesture from the actual recorded location; a login attempt will fail if the score falls below 90%. Login attempts will automatically fail if one draws the wrong shape (for instance, a line in place of a circle):

In recording the shapes one draws on the screen, the OS also remembers the direction and the order of the shapes drawn by the user.

So how many passwords can you get out of taps, circles, and lines? Using mathematical assumptions, one can obtain 2,743,206 unique combinations from 3 taps, 4,509,567 combinations from 3 circles, and 412,096,718 combinations from 3 lines. Combine all three together, and you've got 1,155,509,083 passwords!

Compare this to just 1000 unique PIN combinations with 3 characters, 17,546 passwords with just 3 lowercase letters, and 81,120 passwords with 3 alphanumeric characters and symbols.

One possible flaw of a gesture-based login system is the possibility of guessing a password based on fingerprints on a screen. Assuming the worst case scenario where a user enters a password on a clean screen and leaves the device open for an attacker, it still leaves them with 48 possible passwords. Even in that case, Windows 8 will only allow 5 attempts to guess a picture password before the user is forced to enter their regular Windows password.

The other obvious flaw is the ease of looking over a user's shoulder to steal their password. Given that picture passwords will usually be based on visual cues and thus very easy to hijack, users should definitely be aware of their surroundings while logging in.

As with most new features in Windows 8, Microsoft will offer Group Policy settings to disable picture passwords on corporate machines.

A brief demo of the login process is available below:

The result of Microsoft's solution is an unique login solution that is easy for people to remember, and assuming they don't just tap on people's noses from left to right, a password that is hard to guess.

Image Credit: Building Windows 8

Report a problem with article
Previous Story

Microsoft's design director on Windows 8, Metro and more

Next Story

New Windows 8 pre-beta screenshots leak out

31 Comments

Commenting is disabled on this article.

They should have a choice of picture before you can attempt to swipe also. That is, display 2 additional random photos, so the "hacker" has to choose a picture first.

Am I missing something here? Who wants to sit there drawing circles around peoples faces and joining up dots to unlock something? As well as security, I also want convenience. Something I can do without thinking, and quickly. Like Google's unlock phone with camera, this seems like another gimmick that they'll heavily use as a major selling point but in reality no-one will use.

MurrayB said,
Am I missing something here? Who wants to sit there drawing circles around peoples faces and joining up dots to unlock something? As well as security, I also want convenience. Something I can do without thinking, and quickly. Like Google's unlock phone with camera, this seems like another gimmick that they'll heavily use as a major selling point but in reality no-one will use.
PCs were once unlocked by keys, actual physical keys, and some people thought about passwords the same way you feel about this.

Arthax said,
PCs were once unlocked by keys, actual physical keys, and some people thought about passwords the same way you feel about this.

I they thought that passwords would be less secure than hardware keys and that people would screw them up by making poor password choices, they were right.

Convenience has it's place, but sometimes in certain situations you have to tell people to suck it up and enforce security.

This makes it much easier to read someone's password if you're looking over their shoulder. (watch them unlock it, steal the device... profit!)

I dont think anybody here noticed. But did you see how the control panel opens?
They have worked on the animation and this is what im talking about. The animation is super smooth and actually makes sense!.. GREAT JOB MS!!!!

Just install the Origami Experience on Windows XP, Vista or 7 and you will get the picture password feature on it too.

I am still amused with gesture passwords. So easy to get past because most people don't constantly clean their devices. All you have to do is put the device at a slight angle and look for the marks your fingers leave behind. Does it always work? Of course not since some people are "cleaner" than others. Did it three times this past week though messing with friends.

ILikeTobacco said,
I am still amused with gesture passwords. So easy to get past because most people don't constantly clean their devices. All you have to do is put the device at a slight angle and look for the marks your fingers leave behind. Does it always work? Of course not since some people are "cleaner" than others. Did it three times this past week though messing with friends.

It's also possible to have a user make a path colliding pattern, which increases the number of possible paths a user may have taken

Do your friends not actually use their devices after unlocking them? The pattern should get messed up as soon as they swipe something on the screen while using it.

giantpotato said,
Do your friends not actually use their devices after unlocking them? The pattern should get messed up as soon as they swipe something on the screen while using it.

It just depends. The pattern would be messed up if they were playing a game. Those are usually the peoples devices that I can't figure it out for. Most people however, that i am around anyways) get on and do things like check there email, use facebook, watch videos. you wont mess up the pattern unless you do more gestures. If all you are doing is typing, it is still easy to see the pattern.

Sraf said,

It's also possible to have a user make a path colliding pattern, which increases the number of possible paths a user may have taken

Most people don't think about that. The most common ones I have come across are the letters L, U, or Z. Just because they can make a harder one, doesn't mean they will. Most people are their own biggest security risk. Most patterns don't collide and have two obvious end points. Only two guesses required at most at that point.

I am not saying that it can't be hard to guess, as I usually only get into about 3/4 of the devices I try with, but most people don't think about it enough and just use an obvious pattern.

ILikeTobacco said,

It just depends. The pattern would be messed up if they were playing a game. Those are usually the peoples devices that I can't figure it out for. Most people however, that i am around anyways) get on and do things like check there email, use facebook, watch videos. you wont mess up the pattern unless you do more gestures. If all you are doing is typing, it is still easy to see the pattern.

Everything you just mentioned requires your finger to be touching all parts of the screen which would make the smudges from your pattern gone or at least most of it.

The result of Microsoft's solution is an unique login solution that is easy for people to remember, and assuming they don't just tap on people's noses from left to right, a password that is hard to guess.

I was going to set mine like that, only with boobs.

I have seen Android/ iPhone users using gesture-based password to unlock the screen and I think it is a great idea. People choose easy-to-guess (i.e. bad password) text-based password because a good password is difficult to remember (to average users).

GraphiteCube said,
I have seen Android/ iPhone users using gesture-based password to unlock the screen and I think it is a great idea. People choose easy-to-guess (i.e. bad password) text-based password because a good password is difficult to remember (to average users).

That is because we are focused on making "Hard to remember, easy for computers to guess" passwords. Encourage your users to come up with a non-sequitur phrase, they likely will have an easier time remembering it, and it will likely also have greater entropy than many of these hard to remember combinations. To steal from XKCD

We'll take a word (Troubador) and mutate it: Tr0ub4dor&3
This has ~28 bits of entropy, and would take at most 3 days to guess at 1000 guesses/sec, and is going to be hard for most to remember

Now, lets get the non-sequitur "correct horse battery staple"

Even though we have ewer types of characters, we have a higher entropy, in fact our entropy is now ~44bits, which would take at most 550 YEARS to guess at 1000 guesses/sec, so it's harder for a computer to brute force. Now what about memorization? Odd phrases seem to have a way of clinging to your mind, and I think you'll find this is much easier to remember

Required XKCD reading:
http://xkcd.com/936/
http://xkcd.com/538/

Sraf said,

That is because we are focused on making "Hard to remember, easy for computers to guess" passwords. Encourage your users to come up with a non-sequitur phrase, they likely will have an easier time remembering it, and it will likely also have greater entropy than many of these hard to remember combinations. To steal from XKCD

We'll take a word (Troubador) and mutate it: Tr0ub4dor&3
This has ~28 bits of entropy, and would take at most 3 days to guess at 1000 guesses/sec, and is going to be hard for most to remember

Now, lets get the non-sequitur "correct horse battery staple"

Even though we have ewer types of characters, we have a higher entropy, in fact our entropy is now ~44bits, which would take at most 550 YEARS to guess at 1000 guesses/sec, so it's harder for a computer to brute force. Now what about memorization? Odd phrases seem to have a way of clinging to your mind, and I think you'll find this is much easier to remember

Required XKCD reading:
http://xkcd.com/936/
http://xkcd.com/538/

Despite all this the probability states that the computer (or person) could guess correctly the first time

Sraf said,

That is because we are focused on making "Hard to remember, easy for computers to guess" passwords. Encourage your users to come up with a non-sequitur phrase, they likely will have an easier time remembering it, and it will likely also have greater entropy than many of these hard to remember combinations. To steal from XKCD

What is SO important on a phone we can't get back? We have the cloud, we have google backup, we have synching with the computer not to mention MOST of the data resides on a server anyway, not ONLY the phone add to that remote wipe and the chances of compromising your data is less than you think.

These are PERSONAL phones not mobile banking or security sites.

People have to remember PIN, SSN, passwords, locker combinations, the last thing people want to do is voluntarily secure their phone and make it so complex it's not even worth it.. so gesture is a WAY (maybe not to your standards) to make a phone a little secure without compromising the fun factor.

You anal people sure know how to take pleasure out of using a device.

rijp said,

What is SO important on a phone we can't get back? We have the cloud, we have google backup, we have synching with the computer not to mention MOST of the data resides on a server anyway, not ONLY the phone add to that remote wipe and the chances of compromising your data is less than you think.

These are PERSONAL phones not mobile banking or security sites.

People have to remember PIN, SSN, passwords, locker combinations, the last thing people want to do is voluntarily secure their phone and make it so complex it's not even worth it.. so gesture is a WAY (maybe not to your standards) to make a phone a little secure without compromising the fun factor.

You anal people sure know how to take pleasure out of using a device.

I think you are missing the point. I am speaking about how people have been conditioned to think that a good password is a hard to remember, convoluted password. Key here being PASSWORD, I wasn't talking about the gestures at all, which I do think are good ideas in the case of this implementation (the android one I see as nothing more than a numpad)

And ultimately, I don't know about you, but I secure my phone. Yes I can get what's on it off in the case I lose it, but that's not the point. If I did not secure it and someone had malicious intent, they would now have access to my emails, facebook, contact list and more. The emails are of particular concern as all my other login accounts reset their passwords via these email accounts. My bank sends me email, as do my ISP and telco providers. There is a lot of potential damage that can be done from within my phone, so I secure it. (The current implementation is a little lackluster, I would like to see this W8 solution on it, as I have a WP7.)

Sraf said,

That is because we are focused on making "Hard to remember, easy for computers to guess" passwords. Encourage your users to come up with a non-sequitur phrase, they likely will have an easier time remembering it, and it will likely also have greater entropy than many of these hard to remember combinations. To steal from XKCD

We'll take a word (Troubador) and mutate it: Tr0ub4dor&3
This has ~28 bits of entropy, and would take at most 3 days to guess at 1000 guesses/sec, and is going to be hard for most to remember

Now, lets get the non-sequitur "correct horse battery staple"

Even though we have ewer types of characters, we have a higher entropy, in fact our entropy is now ~44bits, which would take at most 550 YEARS to guess at 1000 guesses/sec, so it's harder for a computer to brute force. Now what about memorization? Odd phrases seem to have a way of clinging to your mind, and I think you'll find this is much easier to remember

Required XKCD reading:
http://xkcd.com/936/
http://xkcd.com/538/

actually xkcd is wrong. it's assuming brute force only. nobody does that. your 4 words is just 4 characters to a dictionary attack.

here's how you do real secure and easy to remember passwords https://www.grc.com/haystack.htm
(even this only works when you can make sure that someone can't peer over your shoulder because any easy to remember password is susceptible to that)

primexx said,

actually xkcd is wrong. it's assuming brute force only. nobody does that. your 4 words is just 4 characters to a dictionary attack.

here's how you do real secure and easy to remember passwords https://www.grc.com/haystack.htm
(even this only works when you can make sure that someone can't peer over your shoulder because any easy to remember password is susceptible to that)

A dictionary attack wouldn't do you any good unless you KNOW for a fact that a user's password is 4 dictionary words. You can't make any assumptions on what the passwords contents are, so while a dictionary attack would work if a person's password is just one work (low hanging fruit), 4 words combined together would a waste of time to crack via that approach.

Why not compare with actual decent passwords? Nobody has 3 character passwords.

A 5 character password, with uppercase, lowercase, numeric and special characters has more than 1,155,509,083 possibilities, so basically this is less secure than a 5 character password.

I left most of the comparisons off the article (the blog post has them), but they claim to have 398 trillion combinations with 5 gestures.

They probably settled on just 3 as a good balance between security and speed of logging in.

Fortunately picture passwords are optional so anyone can continue to enter text passwords even if they're on a tablet.

giantpotato said,
Why not compare with actual decent passwords? Nobody has 3 character passwords.

A 5 character password, with uppercase, lowercase, numeric and special characters has more than 1,155,509,083 possibilities, so basically this is less secure than a 5 character password.

[snipped]

You can swipe up, down left and right.. BUT do you actually know how long or the type of swipe, is it slow, is it fast.. is it light pressure is it hard pressure.. does the gesture have any pauses.. that adds INFINITE possibilities.. besides.. as I said.. it's NEW as it matures they WILL find better ways to make it work, it's not about security (most people don't even lock the phone) it's about convenience and giving users what THEY want to use THEIR phone!

Edited by Denis W., Dec 17 2011, 12:08am :

giantpotato said,
Why not compare with actual decent passwords? Nobody has 3 character passwords.

A 5 character password, with uppercase, lowercase, numeric and special characters has more than 1,155,509,083 possibilities, so basically this is less secure than a 5 character password.

I beg to differ, you have to take into account the amount of morons out there. Take my brother for instance: His password to log on to windows is simply the space bar, then just to make matters worse, his hint is "space."

I've asked him multiple times why he has a password at all, a 6 year old downs kid could figure it out.

giantpotato said,
Why not compare with actual decent passwords? Nobody has 3 character passwords.

A 5 character password, with uppercase, lowercase, numeric and special characters has more than 1,155,509,083 possibilities, so basically this is less secure than a 5 character password.

Touch input has the benefit of being very difficult to do en masse. It's fairly secure, all things considered. The biggest flaw it seems is the visibility to others.

fallacious statement ... how can you multiply letters and numbers ... cannot be done ...

bad MS .. very bad ... KFC is so good

(neat idea can be made so much more secure too, but in case the pass is forgotten then you have hints or what? )

zeta_immersion said,
fallacious statement ... how can you multiply letters and numbers ... cannot be done ...

bad MS .. very bad ... KFC is so good

(neat idea can be made so much more secure too, but in case the pass is forgotten then you have hints or what? )

If you look at the video to use this you also need a normal password, when he goes to set up the picture it asks for you password etc.