Microsoft Windows 8's picture gesture authentication (PGA) system is not difficult to crack, according to security researchers from Arizona State and Delaware State universities.
The researchers say their experimental model and attack framework enabled it to crack 48 percent of passwords for previously unseen pictures in one dataset and 24 percent in another, in a paper presented at the recent Usenix Conference in August.
The researchers also believe their results could be improved with a larger training set and stronger picture-categorization and computer-vision techniques.
Windows 8 offers gesture-based passwords and traditional text-based passwords. Setting up a gesture-based password involves choosing a photo from the Picture Library folder and drawing three points on the image to be stored as grid coordinates. However, users tend to pick common points of interest, such as eyes, faces, or discrete objects, and the passwords derived from this constrained set have much less variability than randomly generated passwords.
The researchers suggest Microsoft could implement a picture-password-strength meter, and integrate its PGA attack framework to inform users of the potential number of guesses it would take to access the system.
View Full Article
Abstracts Copyright © 2013 Information Inc., Bethesda, Maryland, USA