Picture Passwords: Alternative or Gimmick?

: @orinthomas

If you’ve used a tablet running Windows for a while, you’ll know that logging on with a complex password involving 8 or more letters, numbers, and symbols gets tiresome. As a way of reducing this tedium, Microsoft has introduced “Picture Passwords”. They work by having you choose a picture and then performing three different types of touches on three different points of the picture. For example a swipe on one part of the picture, draw a circle on another part, and draw an X on a third part.  If your doodles on the picture match what’s stored in the computer, you’re logged on.

If you forget where you swiped, circled, and drew and X, you can always log on using the traditional character based method.

Since the feature was made available in the Dev-Preview of Windows 8, there has been a bit of discussion as to whether the smudges that inevitably end up on a touch screen may give away hints to the nature of the picture password.  A blog post on the Building Windows 8 blog indicates that they’ve put some thought into this, but that it would also be a good idea for people to clean their touchscreen from time to time. So while picture passwords may be convenient and a little fun, they may be a little less secure than traditional passwords.

Picture passwords aren’t the only way of trying to deal with the annoyance that is complex alphanumeric/character based authentication. For a time it seemed that most laptop computers shipped with some sort of fingerprint reader. A few still do. In my own experience the reliability of the fingerprint reader was such that I simply ignored it after the first week and performed a traditional logon. I suspect that was the case generally.

Some new Android phones are playing around with unlocking the screen using facial recognition. There are some reports that you can get around this by showing  the phone a photograph of the owner. Spoofing authentication using a recording is a problem that voice recognition systems have as well. Most can’t differentiate between a recording of the person’s voice and a live version of a person’s voice.

While adequate, I suspect that it’s not likely that any of these alternatives will displace alphanumeric/character based passwords. The history of technology is replete with examples of solutions that weren’t the most efficient becoming dominant. The QUERTY keyboard, Space Shuttle, and VHS amongst some of the most obvious.

Where these alternatives might have a place is in a simple implementation of multi-factor authentication. Rather than having just a password as an authentication mechanism, these alternatives could be used in conjunction with one another to provide more secure logons without the faffing about required when deploying smart cards. Rather than just logging on with a password, you also have to have your face recognized by a web cam, using a picture password, fingerprint, or voice recognition as a fallback.

Only time will tell how successful the picture password is. On my own Windows 8 tablet I use it exclusively. It will be interesting to see how it translates at an organizational level where regular password updates are more of a necessity.

--

Follow me on twitter: @orinthomas

My new book: Windows Server 2008 R2 Secrets. It is a book for experienced Windows administrators new to Windows Server 2008 R2: