One of the most interesting features in Windows 8 is the picture password, a 3rd method addition to normal password and PIN that sign you into your computer without typing. Since Windows 8 is more targeted to the devices equipped with touch screen, it makes perfect sense having a more intuitive method for signing in without typing the complex password. And today the building windows 8 blog details some of the facts that is behind this neat feature. It’s interesting to see how it works behind the scene. First, once the image is selected, it’s divided by the system into a grid. Then, when place your gestures to generate the picture, the system records the coordinate (XY) position in the grid for the individual points, the starting and ending coordinates for lines, and the center point coordinate, the radius and the direction for the circle. When signing in, the system evaluate the gestures and compare the set to the gestures recorded during the setup. When the types, ordering, and directionality are all correct, the system takes a look at how far off each gesture was to determine if it’s close enough to authenticate you. It’s probably the most fluid method to sign in when using a touch device. But the question also is, if it’s secure enough to be considered using widely. The post did a comprehensive comparison between PIN, normal password, and picture password, which reveals how secure a picture password could be. Of course, that’s based on the theory. There are more to consider in the real world, the smudges for one.
People are often concerned with the smudges left behind on a touch screen and how easy or hard it would be to divine your password based on those markings. Because the order of gestures, their direction and location all matter, it makes the prospect of guessing the correct gesture set based on smudging very difficult even in the completely clean screen case, let alone on a screen that sees regular touch use.
With the number of possible combinations, making the prospect of guessing the correct sequence within 5 tries that won’t lock you out is fairly remote, assuming the average image has 10 points of interest, and a gesture sequence length of 3. To give the IT admins more flexibility, a feature will also be added to the group policy to allow whether this new feature can be used.