Have you ever used Windows 8’s picture password feature for touch-screens? If not, you choose a picture and then select three swipe gestures across the picture. This is supposed to make for optimal security as there’s no standard base to begin a brute force.
However, some researchers claim picture passwords aren’t as secure as they’re being made out to be. “Based on the ﬁndings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system,” said researchers from Arizona State University, Delaware State University and GFS Technology Inc. who presented “On the Security of Picture Gesture Authentication” (see PDF here) during the USENIX Security Symposium.
“Our approach is based on the concept of selection function that models users’ password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.”
“It is obvious that pictures with personally identiﬁable information may leak personal information,” the paper states. “However, it is less obvious that even pictures with no personally identiﬁable information may provide some clues which may reveal the identity or persona of a device owner. Traditional text-based password does not have this concern as long as the password is kept secure.”
“The cornerstone of accurate strength measurement is to quantify the strength of a password,” the paper states. “With a ranked password dictionary, our framework, as the ﬁrst potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords. More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework.”
Surprisingly, BlackBerry intends to bring a similarly styled native unlock screen to BlackBerry 10. However, it will encompass more than just swipe gestures. Within the filesystem of OS 10.2.1 developers found a PicPassword.bar file.
Picture Password for BlackBerry 10 will allow you to choose a picture, then select a number, and the position where you drag the number. Once you’ve made your selection, the new unlock screen will look like this:
It will certainly be interesting to see if BlackBerry 10’s Picture Password feature will be more secure than Windows 8’s Picture Password, as described above. Nevertheless, we love seeing these new innovative ideas looking to arrive in BlackBerry 10 soon! Check out the video below of the BlackBerry 10 Picture Password in action: