Use a Die to make Your Picture Password

Security - By admin on Saturday, January 21, 2012 - 09:26

Yet more news from Microsoft on their new picture password system. Following the announcement of this new way of signing in to their PCs Microsoft has, unsurprisingly, received a lot of comments and feedback, many of which were concerns over the security of the new gesture based system of signing in.

Jeff Johnson, the Director of Development for the User Experience team for Microsoft used game theory and lots of scary math to work out the security of the new system. Over on the MSDN blogs he gives some more advice on how to use the new system and some more reassurance about how secure it is.

Jeff's 5 Tips for Using the New Picture Password system

1. Pick a photo with at least ten points of interest in it. As Jeff says: "A point of interest is an area that can serve as a landmark for a gesture – a point that you would touch, places you would connect with a line, an area you would circle."
2. Choose a random selection of gestures to use on the photo on some of the points of interest. Try not to stick to three taps, three lines or three circles as this makes it easier to break. A random mixture of say two taps and a circle, a circle, line and tap make it harder to break.
3. Vary the sizes of your circles and consider going anti-clockwise or starting at the bottom of the circle, also consider drawing your lines from right to left or bottom to top.
4. Make sure no-one is looking over your shoulder or watching you when you use the gestures on your picture password.
5. Keep your computer clean. Clean your screen regularly. This makes it harder to see smudges than a dirty screen where oils from your fingers will build up and become visible on the screen.

Gestures are secure, as shown by Game Theory

Over on the MSDN blog, Jeff then goes on to some serious math and equations to explain how unlikely it is that anyone will be able to guess your permutations of gestures, even if they correctly identify the points of interest you are using. Basically if you had a picture with only two points of interest, a hacker would only get into your machine one out of every four attempts. If you have a picture with five points of interest, the hacker would have to work out the correct sequence of taps, lines and circles to use from a staggering 91,125 possible sequences. Once you get to the suggested image with ten points of interest, the possible combinations of gestures reach 2,744,000 sequences.

You can follow the math here: http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx

But to make it more secure, randomize your points of interest and gestures

Jeff suggests you take a standard six sided die and use it to generate the sequence of gestures you will use as your picture password.

He suggests you number six Points of Interest (POI) out of the ten possible on your image and roll a die to see which POI you are going to start with.

Then roll a die again to see whether you are going to tap, draw a line or draw a circle. If the number is even, you will draw a line. Roll the dice again to see where the line is going to end.

If the number is odd, you are going to tap or draw a circle according to Jeff's schedule below:

1. The gesture is a tap
2. The gesture is a small clockwise circle
3. The gesture is a small counterclockwise circle
4. The gesture is a larger clockwise circle
5. The gesture is a larger counterclockwise circle
6. Reroll

Repeat until you have an action on or at each of your Points of Interest. And according to Game Theory and Jeff, this password won't only be fun but it will be almost impossible to break too.