Last week Microsoft posted an entry on the official Windows 8 blog site that talked about the operating system's new support for using pictures as passwords for touch screen interfaces. Today, the blog site posted up an update on that feature with Microsoft's Jeff Johnson giving more information based on comments and questions from the blog's readers.
One of the concerns from readers was being able to create the most secure sequence of login gestures from a picture. Johnson gives several different ways to make the picture better as a password. They include using a photo that has 10 points of interest, using a random mix of gesture types and sequence, randomly choosing where the line will go between two points if one uses line gestures and, of course, not letting other people see what sequences you are putting in as the password when you sign on. Johnson says these suggestions "will substantially increase the security of your computer."
To give you an idea of how hard it would be to break the picture password that has 10 points of interest, Johnson states:
We now have 10 possible taps, 40 possible circles, and 90 possible lines. This is a very robust 1403=2,744,000 sequences. Odds1 is vanishingly small at 0.0002%. In fact, you are more than 50 times more likely to win $10,000 with a $1 ticket in the Washington State Select 4 Lottery than you are to have your machine broken into using a picture with 10 POIs! The Odds100 has dropped to 0.018% and even Odds1000 is only 0.18%.
The blog goes into a lot of technical details behind the picture password feature. At one point, Johnson states, "Windows provides additional protection for picture passwords (and PINs) by disabling the login mechanism after 5 incorrect tries (you then have to use your conventional password)."