
Microsoft’s “Picture Password”: A Breath Of Fresh Air On The Lock Screen - FluidDjango
http://techcrunch.com/2012/01/09/microsofts-picture-password-a-breath-of-fresh-air-on-the-lockscreen-of-all-places/
======
eridius
Sounds like a great way to remember your gesture. But it also sounds like a
great way to pick an extremely obvious gesture (e.g. outline of the house)
that someone else can guess. If your gesture is based on prominent features in
the picture, that greatly limits the search space for an attacker.

~~~
JoshTriplett
Exactly. This seems even less secure than the Android "lock pattern"
mechanism, which at least provides a grid of nine features and no obvious
reason to choose any particular set. (Despite that, I suspect many people use
the same patterns.) The examples given in the article provide little to no
security, while giving a novice user the illusion of security. Ideally, this
ought to have gone through extensive practical security testing: what pictures
and patterns do users pick, and how easily can others guess those patterns?

I could understand the aversion to passwords if people had to remember a pile
of them, but they don't. You only need to memorize one: the password to unlock
your personal system. Can people really not remember _one_ secure password?

~~~
Karunamon
>Can people really not remember one secure password?

Answer: No - and then you're asking to get fully compromised when the (good
and secure!) password gets revealed from some service somewhere not following
best practices.

~~~
JoshTriplett
No service should ever have your secure password. It should unlock your
personal system, which can then remember all the (different, random, and
secure) passwords or keys for any other service you use.

~~~
Retric
Your assuming the average users machine is secure. I don't think that's
necessarily true. For most people, a list of common passwords stored under
their keyboard is probably more secure than an encrypted file on their HDD.

~~~
JoshTriplett
If you don't have a secure machine to enter passwords in, it doesn't matter
_where_ you store them.

------
aantthony
Does anyone else think that this is just convoluted and confusing?

~~~
tikhonj
Actually there's some solid research behind this. If I recall correctly,
people naturally find it much easier to remember which parts of a picture to
hit rather than remembering a password.

Unfortunately, I can't find the research and sample that I remember reading
about a while back--Google is spammed with Windows 8 stuff when I search for
it and I'm terminally lazy. However, I definitely recall reading about
research in this vein.

------
Gustomaximus
The smudge hack is only relevant if you have a continuous swype on the screen.
If you allow lifting your finger and poke several things you have limited this
hacks effectiveness, as people may see where you poked but not the order. So
"tap your dogs in a certain order" weakens this hack. Also it seems to assume
you are doing nothing else n the phone. When I open the phone I generally do
something which leaves additional smudges. So someone will not know if they
are the password or activity.

Like it or not, I like the innovation. The best would be if you had a choice
of lock screens and one chooses the style you like.

------
tikhonj
I think one way to mitigate the smudge factor is just to rotate the picture
each time. I am willing to bet (despite being totally uninformed :)) that a
person will remember where to touch on the _picture_ rather than the screen,
so rotating the picture will not make it much more difficult to enter the
password.

~~~
rsbaskin
From [http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-
pic...](http://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-
password-security.aspx)

As several comments suggested, we also considered shrinking the size of the
image and displaying it at random positions and slight rotations on the screen
to minimize any risk from smudges. We knew from usability feedback that
decreasing the size of the image both increased the difficulty of properly
entering the gesture and made the login experience feel less immersive;
however, if there were a significant improvement to security, we wanted to
consider the costs and benefits. What we discovered was that while shifting
the image could reduce the buildup of smudges in specific spots, there were
even more prominent “clouds” of taps, lines and circles that were identical
relative to each other. With this information, an attacker could easily figure
out the gestures relative to each other. With that information, it was a
simple exercise to move them around the picture until they appeared to
coincide with significant elements of the picture. There wasn’t a noticeable
improvement in security and we were able to measure significant degradations
to the fast and fluid user experience. In reality, using smudges is very
difficult.

------
sunchild
Serious question: why aren't we using biometrics, e.g., fingerprints or iris
detection?

I want authentication that: (1) identifies me, not a key-holder, and (2)
requires only things that I will always have with me.

~~~
amock
You can't change biometrics, so once someone forges your identity they will
always have access to anything that requires only biometric identification.

~~~
sunchild
How does one forge biometrics? (Notice that I'm not asking how to spoof
biometric readers with insecure designs, e.g., the one mythbusters busted).

Anyway, this is already the case – fingerprints are used as evidence of
criminal liability. If someone forges my fingerprints, they could get me into
a huge amount of trouble, in theory.

~~~
ars
> How does one forge biometrics?

At the end of the day a finger or an iris is a physical object you can make.
Since it's impossible to keep the "key" secret, you can always copy it and
make one - how hard you have to work to make it depends on how good the design
is, but fundamentally there is no secret and without a secret it's useless for
authentication.

> If someone forges my fingerprints, they could get me into a huge amount of
> trouble, in theory.

Yes, they can, and sometimes they do. But it's not common enough for police to
worry about it.

~~~
sunchild
But let's admit that there's no such thing as a secret, really, and it's more
about how difficult a thing is to reproduce or reverse engineer. I mean,
everything about security is just a big game of "hide the ball" and the
question is how many hoops one must jump through to find the ball.

~~~
ars
Of course there are secrets. What you are trying to say is that system will
let you do many attempts till you guess the secret.

But with biometrics there are no guesses - you know exactly what it should
look like. There is difficulty in implementation certainly, but a basic
principle of security is that each increment of difficulty in the securer
(like a longer password) should increase the difficulty of the attacker by an
order of magnitude.

Biometrics does not have this properly.

~~~
sunchild
Thanks for taking the time to respond here and elsewhere. You make some really
interesting points, and I understand this topic much better now.

------
user24
A question that bugs me about these kind of locked phones: What about
emergency calls?

I don't have a smartphone so I don't know how it works, but it seems from what
I've seen that modern cellphones prevent people from using them for emergency
calls unless they know the swipe/unlock code. Is that correct?

edit: just googled, looks like android and iphone have an 'emergency call'
button on the lock screen. Fair enough.

~~~
andrewheins
It should be mentioned that this creates problems of its own. Toronto Police
recently released their numbers, and 18% of the calls to 911 were pocket dials
created by those "emergency call" buttons. We're talking hundreds of thousands
of calls clogging 911 each year, each requiring the operator listen to the
whole pocket dial, attempt to make contact, call back, and if no contact is
possible, send a squad car to investigate.

What we've got isn't working.

~~~
nemetroid
The Android "emergency call" button just brings up a dial pad. I can't imagine
that causing many pocket dials.

------
rhplus
There's a detailed article discussing the feature here:

[http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-
wit...](http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-
picture-password.aspx)

The important thing is that this feature is completely optional and can be
disabled in organizations by group policy.

------
matdwyer
I love it - does anyone know if there is an iOS app that has this
functionality?

I read the title and instantly though how cool it would be to do exactly what
the article described.

------
PlanetFunk
Could the smudge hack be fixed by using more than one picture/passwordswipe?

------
georgieporgie
I find it annoying that we're innovating different ways of doing the exact
same thing: switching from completely locked to completely unlocked.

I want near-instant access to a notepad for jotting down thoughts. I want more
locking for reading existing notes. Still more for accessing email. I want a
strong lock protecting apps related to finances.

The simple lock (just to prevent pocket-dialing) should be like a slider. The
intermediate lock could be this drag pattern thing (which is just a friendly
version of the Android drag lock). The strong lock could be a coded sequence
with buttons that change location.

~~~
adgar
One of my absolute favorite iOS features in iOS5 before I switched to Android
was the new "take a photo from the lock screen" button. I felt _understood_
when they added that.

~~~
WrkInProgress
It's something they borrowed from Windows Phone 7, which has allowed you
instant access to the camera (albeit via a mandated hardware button) while the
phone is locked.

