Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

Gesture-based passwords found wanting

September 22, 2013

Gesture-based passwords found wanting

A number of companies are developing alternatives to passwords, seeking a simpler option for users to unlock phones and computers. However it seems Microsoft’s gesture-based system could be easier to crack than first thought.

The software giant developed a technique for its Windows 8 platform which requires users to trace a pattern they know over the top of a familiar photograph. It was thought that this would prove not only more fun than typing out long-tail complex passwords, but a lot quicker too.

The system works by enabling users to choose an image from its library, before being asked to draw three individual points upon it. These can be circles, swipes or simple taps. Microsoft then divides the image into a grid and plot the movements, which then need to be repeated to unlock the device at a later stage.

Now critics have claimed that, whilst the technique is undeniably quicker and more fun, it’s doubtful whether it has the much-needed security credentials. Among them are researchers from the Arizona State University, who claimed that cracking the gesture recognition software can be achieved with relative ease.

The system works by enabling users to choose an image from its library, before being asked to draw three individual points upon it.


Looking at the bigger picture

The researchers were presented with two datasets with images they had not previously seen. They then succeeded in cracking 48 per cent of passwords with one image and 24 per cent on another. Much of this was due to password setters simply being rather unimaginative – choosing to circle eyes, faces or discrete but easily visible objects.

Not only that but, with no supporting information and using a purely automated attack, some 0.9 per cent of passwords could still be cracked within the five-attempt limit.

But instead of claiming the technique should be ditched altogether, researchers have lobbied Microsoft to install a strength meter to ensure users opt for passwords which are adequately complex.