Microsoft's picture passwords unsafe

Microsoft has been touting picture passwords as the next top trend in security, but researchers have discovered that these are not as difficult to crack as the company thinks.

Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8 and many thought it was a wizard idea. But a paper issued to the USENIX Security Conference has proved that some setups are easier to crack than others.

The paper, penned by Arizona State University, Delaware State University and GFS Technology researchers with the catchy title “On the Security of Picture Gesture Authentication“, said that unique picture password gestures may not be so unique.

Using a picture of a person and then three taps as your gestures – with one of them on the eyes – is equivalent of making your text password “password”.

The researchers also developed an attack framework and attack models which can take out PGA.

All you have to do is work out a user’s password selection process to crack a considerable portion of collected picture passwords under different settings.

One of the problems is that most people choose to upload one of their own photos to setup their picture gesture password, instead of using one that Microsoft provides.

Obviously there is a relationship between background pictures and a user’s identity, personality or interests with 60.3 percent of them selecting areas on an image where “special objects” are located.

Eyes are the most frequently chosen point of interest, followed by nose, hand or finger, jaw and face.

While some users chose a landscape photo because it “usually doesn’t have any information about who you are,” others selected computer games posters or cartoons, and the researchers said that doesn’t necessarily protect your privacy.