Microsoft’s Security Measures FailedAlthough Microsoft has been claiming that picture passwords are very safe, the researchers have found out that they can be cracked easier than the software giant believes.
When Microsoft offered a Picture Gesture Authentication (PGA) system on its new Windows 8, many thought it was a brilliant idea. However, a paper issued to the USENIX Security Conference has revealed that some setups were easier to crack than others. The document was penned by Arizona State University, Delaware State University and GFS Technology researchers, titled “On the Security of PGA”, explaining why unique picture password gestures may not be as unique as Microsoft believes.
Apparently, using a picture of an individual and then three taps as their gestures, with one of them on the eyes, was equivalent of making the text password “password”. The security experts managed to develop an attack framework and attack models that were able to take out Picture Gesture Authentication.
All a hacker has to do is work out a person’s password selection process, which allows cracking a considerable portion of collected picture passwords under various settings. The main problem is that most people simply upload their own photo to setup their picture gesture password, paying no attention to the method provided by Microsoft.
As you can guess, there’s an obvious relationship between background pictures and an individual’s identity, personality or interests, with 60% of users choosing areas on an image where “special objects” are located. The most popular area is eyes, followed by nose, hand or finger, jaw and face.
In the meantime, some people choose a landscape photo because it normally does not have any information about who you are, while others chose computer games posters or cartoons. According to security experts, such moves don’t necessarily protect users’ privacy.