Researchers develop attack framework for cracking Windows 8 picture passwords

We all know text-based passwords are not overly secure, so when Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8, many people chose that option. However, if you chose a photo of a person to setup your picture password and used tap, tap, tap as your gestures on the picture—with at least one of those on the eyes—then you chose the most common gesture type and facial area for picture-based authentication. It is also the most insecure and easiest to crack, according to new security research on Windows 8 PGA; the researchers also developed an attack framework and attack models.

[SLIDESHOW: 15 Tech Companies with HUGE cash piles]

After analyzing picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies, researchers found that regardless of what image you selected, your unique picture password gestures may not be so unique after all. Arizona State University, Delaware State University and GFS Technology Inc. researchers presented “On the Security of Picture Gesture Authentication” [pdf] at USENIX Security Symposium. The paper states:

Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Overall, most people choose to upload one of their own photos to setup their picture gesture password, instead of using one that Microsoft provided. The researchers found that there is a relationship between background pictures and a user’s identity, personality or interests with 60.3% of users selecting areas on an image where “special objects” are located. The chosen picture password images ranged from celebrity photos to system screenshots, but the most commonly chosen picture category was of people. In fact, eyes are the most frequently chosen point of interest, followed by nose, hand/finger, jaw and face.

Other users refused to use a picture of themselves, family, or friends because they believed it might “leak his or her identity or privacy” to “anyone who picks up the device.” While some users chose a landscape photo because it “usually doesn’t have any information about who you are,” and others selected computer games posters or cartoons, the researchers said that doesn’t necessarily protect your privacy. They wrote:

It is obvious that pictures with personally identifiable information may leak personal information. However, it is less obvious that even pictures with no personally identifiable information may provide some clues which may reveal the identity or persona of a device owner. Traditional text-based password does not have this concern as long as the password is kept secure.

The research also found that the strength of picture gesture password has a “strong connection” to how long a person spent setting up that password gesture. The most common gesture combination is three taps, meaning it took about 4.33 – 5.74 seconds to setup. Passwords with two circles and one line took the longest average input time of about 10.19 seconds. In the image below, Microsoft suggested Circle-Line-Dot as an example for Windows 8 PGA setup.

After studying why people choose certain categories of images, the most common gesture types and direction patterns in PGA passwords, the researchers developed an attack framework that is “capable of cracking passwords on previously unseen pictures in a picture gesture authentication system.” They hope their attack framework could be used as a picture password strength meter to help protect users. Although policies such as ‘three taps are not allowed’ could be setup to help choose secure passwords, they said rule-based password compositions have proven to be ineffective for traditional text-based passwords.

The cornerstone of accurate strength measurement is to quantify the strength of a password. With a ranked password dictionary, our framework, as the first potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords. More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework.

The paper concluded, “We believe the findings and attack results discussed in this paper could advance the understanding of background draw-a-secret and its potential attacks.”

If you are interested, then you might want to read “On the Security of Picture Gesture Authentication” [pdf] in full.

Like this? Here’s more posts:

• 4 billion call records added daily to AT&T database for DEA phone surveillance
• Black Hat: Smart TVs are the ‘perfect target’ for spying on you
• School starts mass social media surveillance of students for their ‘safety’
• Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes
• Shocker: Despite domestic spying denials, NSA broke privacy rules thousands of times
• Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords
• UK govt leak police destroyed Guardian hard drives to stop secret surveillance stories
• Is having your photo featured on Bing homepage enough reason to give up your rights?
• Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure
• Cautionary tales: Teen beauty queen and baby spied on via hacked cameras
• Microsoft Research: Secret tags in 3D-printed objects, hooked to the Internet of Things
• Black Hat: It’s not ‘tricky’ for hackers to turn your phone into a SpyPhone
• Implanted RFID chips to implanted invisible headphones: Modded bodies and privacy

Follow me on Twitter @PrivacyFanatic