The new feature that came up in Windows 8 where users can use images and touchscreen gesture combination to create a password for accessing the device found loopholes in it. Microsoft came up with this feature along with the traditional text based passwords in the opinion that tracing a pattern on a picture would be secure. This feature is known as Picture Gesture Authentication (PGA) where images can be loaded from the pictures stored in the Windows 8 Picture Library or from a default set provided by the OS. The gestures cannot be freely applied; the scribbles are automatically converted by the OS into a tap, line or a circle.
However at the Usenix Conference a few days back research papers from Arizona State University, Delaware State University and GFS Technology Inc. showed that their experimental model and attack framework allowed 48 % of passwords to be cracked for unseen pictures in one dataset and 24 % in the other without too much of effort. They found out that a huge amount of people opts to draw common features like mouth, nose, eyes or face. The project found out that 9.8 % randomly created gestures without any consideration while the rest admitted that they used “special objects” in the images to create a gesture.
Going by the statistics given by Microsoft and the feedback from the users, the PGA system is not that easy to be guessed but the research paper warns us against the system. Microsoft has been advised to come up with a strong security meter of the PGA system to help its users create strong passwords. It will prevent users from choosing weak passwords as seen in the text-based passwords. The strength meter, as suggested by the researchers, is believed to enhance the security of passwords created through the PGA system.