Why Win8 Picture Password is Not Secure

Windows 8 includes a slick feature intended to make it easier to log in: Picture Password. You select a photo that will be displayed on the login screen and then setup a simple gesture that you “draw” on the image to login.

It makes quickly logging in easy, especially if you use strong passwords and you use a touch screen. And given Windows 8 pretty much requires you to link your Windows login to your Microsoft account you should use a strong password!

However, don’t be confused: Windows 8 Picture Password is not really secure and can easily be hacked. A picture is worth a 1000 words from our DELL XPS ONE 27:

picpass

It is pretty clear that the gesture to unlock is to draw a smiley face on Benny.

Of course on a non-touch screen where you’d use the mouse to draw the gestures this wouldn’t happen.

Cool feature, but understand the limitations.

Subscribe Get Blog Posts in Your Email
Enter your email to receive new blog posts in email. 
icon

9 comments


  1. Tyson says:

    One idea to make it more secure may be to make it a multistep process. First you are presented with a matrix of pictures to choose from. Once the correct picture is chosen, it is shown in a random orientation for pattern entry. This method would make guessing the pattern more difficult because of the larger number of likely patterns and the smudges would be somewhat evenly distributed across the tablet.

  2. Nik Rolls says:

    How is this more of a security concern than Android’s pattern unlock, or even standard pin codes for that matter? It’s got nothing to do with an insecure system; if you unlock your device with dirty fingers and then don’t wipe down the screen, you’re just asking for trouble.

  3. Prawnz says:

    isn’t drawing a smiley on a face akin to setting password as your password?

  4. Andrew says:

    I don’t get it, why isn’t it secure?
    Are you using touch on Windows 8 only to authenticate?

    On an all-in-one system like Dell XPS, that might happen(sometimes), but on tablets for example, at the end of the day you get lots of fingertips on the screen 🙂

    Also, even with your pics with the fingertips, it’s not easy to understand what was the password.

  5. Andrew says:

    I don’t get it, why isn’t it secure?
    Are you using touch on Windows 8 only to authenticate?

    On an all-in-one system like Dell XPS, that might happen(sometimes), but on tablets for example, at the end of the day you get lots of fingertips on the screen 🙂

    Also, even with your pics with the fingertips, it’s not easy to understand what was the password.

  6. Chase says:

    Assuming all you ever touch your screen for is to input the password you have a valid point, but as millions have seen with the connect-the-dots Android password, you can’t really tell what the password is after two seconds of use.

  7. Craigfis says:

    It struck me as insecure but not because of screen smudges. Anyone nearby with a view of your screen can see what you password gesture is. (This was my first thought when someone just demoed their Surface to me.)

  8. Edward Bear says:

    Actually, checking the screen for the oils our fingers produce is apparently quite easy.

    http://www.uncoveror.com/picturehack.htm

Debate this topic with me:

This site uses Akismet to reduce spam. Learn how your comment data is processed.