February 13, 2014

How to Improve Windows 8 Picture Password Security


In order to make new gesture-based password safe for Windows 8 computer like text-based password, we have to improve picture password security. Before talking about how to improve, let’s see why picture password is easily cracked.

Why Windows 8 picture password can be cracked easily

Setting up a gesture-based password involves choosing a picture from one’s Picture Library folder and drawing three points on the image. Windows 8 accepts three kinds of gestures on picture, taps, lines and circles. And Windows 8 subdivides the image into a 100*100 grid and stores the input points as grid coordinates.
1. But users aren’t very good at selecting random points on their images. They tend to pick common points of interest, such as eyes, faces or discrete objects.
As a result, passwords derived from this constrained set have much less variability than randomly generated passwords. They’re easier to crack.
2. There is no picture-password-strength meter similar to systems that prevent people from choosing weak text-based passwords.
So when computer users have set weak picture password, they still don’t know.
3. There have been some researchers’ experimental model and attack framework allowing them to crack 48% of password for previously unseen pictures in one dataset and 24% in another.
Because of wrong password setting method above and incomplete password setting mechanism, Windows 8 picture password would be cracked easily.

How to improve picture password security?

From the above introduction of the reason why Windows 8 gesture-based password is cracked easily, and the analysis of PIN code, character password and picture password in the table below, you could find what you should do to improve Windows 8 picture password security.
Length
10-digit PIN
Simple a-z character set password
More complex character set password
Multi-gesture picture password
1
10
26
n/a
2,554
2
100
676
n/a
1,581,773
3
1,000
17,576
81,120
1,155,509,083
4
10,000
456,976
4,218,240
612,157,353,732
5
100,000
11,881,376
182,790,400
398,046,621,309,172
6
1,000,000
308,915,776
7,128,825,600

7
10,000,000
8,031,810,176
259,489,251,840

8
100,000,000
208,827,064,576
8,995,627,397,120

  1. Microsoft should integrate the researchers’ PGA attack to inform users of potential number of guessed it would take to access their system. 
  2. Choose one individual picture and portions to make three gestures.
  3. Take the most complex gesture line to create gestures.
Now there would be 100 million possible lines set on a picture. It will be more difficult to guess out picture password if what you do is based on the above suggestions. That will increase both security and the memorability of the password.
But in a word, before appearance of better password setting mechanism, gesture-based password had better be another way to access Windows 8. If we want to protect Windows 8 better, we should create powerful local user password, or encrypt important data in Windows 8 computer.

More articles:

No comments:

Post a Comment