Microsoft made a big deal earlier this month about the picture password feature for the upcoming Windows 8 operating system. The official developers blog site for Windows 8 devoted not just one but two articles to the new system which will give users the option to combine using a picture with touch screen movements to create what Microsoft calls a highly secure password system, if used correctly.
The picture password system does have a major critic. NetworkWorld.com reports that Kenneth Weiss, the creator of the two-factor authentication system SecurID, says of the Windows 8 picture password feature, "I think it's cute. I don't think it's serious security." Later he says, "It's more like a Fisher-Price toy than a serious choice for secure computer access."
One of the problems with such a system, according to Weiss, is that video cameras could record a person making the movements needed to unlock Windows 8, even from a distance. In a normal password system, the characters on the screen are replaced by dots when typed in by the user, making the act of recording such actions with a video camera more difficult.
Microsoft's Jeff Johnson does state in the second picture password post on the Windows 8 blog site, "As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in." He adds, "Keep your computer in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen."
Weiss also claims that backing up such a picture password system would be hard. He states, "To put down a description of the sequence is possible, but that's a lot of writing."