Windows 8 Picture Passwords Are Insecure

Windows 8 broken security

Windows 8 offers users a unique password option when users sign in. Rather than a text password, users are able to use an image from the Pictures folder to keep their PC secure. Although this is an interesting idea that personalizes a user’s device, it is proving to fail in the security department.

As Thomas Claburn reports for Information Week, a group of researchers created a method for breaking the Windows 8 picture passwords. Their model was successful in hacking a password 48-percent of the time during one test.

To set a picture password, users choose an image, then draw circles, lines or tap different places on the image. When they log-in, they just need to take the same actions in the same order. It’s similar to smartphones that lock with a pattern, rather than a pass code.

Windows 8 does take some precautions to make this method more secure. Most notably, a user is limited to 5 log-in attempts. After a fifth failed attempt, the device is locked down. This means hackers can’t launch a purely automated attack, or brute force attack, that tries every combination possible. During testing, a purely automated attack was only successful about 1-percent of the time.

That is still a significant number of users at risk, and researchers suggested that a higher success rate is likely with a little training. Beyond the technical capabilities of picture passwords, what makes them insecure is how most people use them. When manipulating an image, most people will circle, or tap the eyes and draw a line on the mouth. These tendencies make it much easier for a password to be hacked.

What’s lacking from picture passwords is a strength meter. When you make a password for an online account, most sites will tell you if the password is strong, weak or unacceptable. Windows 8 included no such meter for picture passwords.

Since this is a new log-in method for most people, users won’t know what a strong picture password consists of. A password meter could help ensure that users have a password strong enough to hold up to a hacking attempt.

To keep your machine more secure, contact Geek Rescue at 918-369-4335. We have a variety of security solutions to keep you safe.

August 30th, 2013