If you're using disk encryption software like AlertBoot, chances are you have to remember a slightly longish, complex password. After all, what's the use of the strongest encryption in the world if the password for accessing your encrypted contents is a short word like "love"? Microsoft might have a solution that is more elegant that trying to remember a nonsensical password: the picture password, which is based on a picture of your choosing (that is, you choose your own picture as opposed to having to choose from one of the pictures provided by some faceless company you're not familiar with).
If you're using disk encryption software like AlertBoot, chances are you have to remember a slightly longish, complex password. After all, what's the use of the strongest encryption in the world if the password for accessing your encrypted contents is a short word like "love"?
Microsoft might have a solution that is more elegant that trying to remember a nonsensical password: the picture password, which is based on a picture of your choosing (that is, you choose your own picture as opposed to having to choose from one of the pictures provided by some faceless company you're not familiar with).
According to Microsoft's developer blog, the picture password is comprised of two complimentary parts. There is a picture from your picture collection and a set of gestures that you draw upon it. Instead of having you pick from a canned set of Microsoft images, you provide the picture, because it increases both the security and the memorability of the password. [blogs.msdn.com] The idea is to tap, circle, and draw lines in a given space. For example, if you have a picture of a dog running in a field with a solitary tree, perhaps your password will be drawing a line between the dog and the tree, circling the trunk of the tree, and then circling the dog's hind legs. This would be your password. Of course, what really matters is where you tap and circle in a given space. The image is just a guide to anchor those gestures (no doubt this would work if the image you chose was a "polar bear in a snowstorm in the middle of the arctic being hunted by ghosts"). The use of pictures over characters or PINs, according to the Microsoft guys, actually affords even better security. They've got the math to prove it on their site, although I'm a bit skeptical on how they got their numbers (they don't really explain it except for drawing straight lines). As summarized by digitaltrends.com, Microsoft also outlined how security is increased with the Picture Password method. For instance, if a user creates a six-character text password with at least one uppercase letter and one number, there would be 7 billion combinations available. However, if a user creates a picture password with six gestures using only taps, that number increases to 1.3 trillion combinations. Even further, reducing the amount of gestures to five and including at least one circle and one line gesture within the group increases the number of combinations to approximately 70 trillion.
According to Microsoft's developer blog, the
picture password is comprised of two complimentary parts. There is a picture from your picture collection and a set of gestures that you draw upon it. Instead of having you pick from a canned set of Microsoft images, you provide the picture, because it increases both the security and the memorability of the password. [blogs.msdn.com]
The idea is to tap, circle, and draw lines in a given space. For example, if you have a picture of a dog running in a field with a solitary tree, perhaps your password will be drawing a line between the dog and the tree, circling the trunk of the tree, and then circling the dog's hind legs. This would be your password.
Of course, what really matters is where you tap and circle in a given space. The image is just a guide to anchor those gestures (no doubt this would work if the image you chose was a "polar bear in a snowstorm in the middle of the arctic being hunted by ghosts").
The use of pictures over characters or PINs, according to the Microsoft guys, actually affords even better security. They've got the math to prove it on their site, although I'm a bit skeptical on how they got their numbers (they don't really explain it except for drawing straight lines).
As summarized by digitaltrends.com,
Microsoft also outlined how security is increased with the Picture Password method. For instance, if a user creates a six-character text password with at least one uppercase letter and one number, there would be 7 billion combinations available. However, if a user creates a picture password with six gestures using only taps, that number increases to 1.3 trillion combinations. Even further, reducing the amount of gestures to five and including at least one circle and one line gesture within the group increases the number of combinations to approximately 70 trillion.
One of the first things that I thought was: the raw numbers might be on Microsoft's side, but what about users bungling things that should work in theory? I'm sure Microsoft must have done studies using control groups and whatnot...but I'm always amazed at how people can undermine things. For example, take your standard 4-number PIN: I know a person whose mobile device's PIN is "0". Not "0000" but "0". He thinks it's genius because he's got the "10 wrong tries and delete everything" option set up, and figures that a thief, if brute-forcing his phone, will go for a four-digit number. This is what happens when you don't enforce minimum password lengths. This person would probably circle the heads of the people that show up on his chosen picture and call it a day. Or maybe he'll tap on them, left to right (as most people are wont to do if they've been raised in a country where people write left to right). Or maybe draw a line through the middle of each one's heads. Now, Microsoft claims that there's plenty of variation on how people go about tapping, "lining," and circling that this shouldn't be a problem; I think they're underestimating the general public. I'm not suggesting that the general public is stupid (although, I've met my fair share who couldn't be described otherwise). I'm just saying that most don't really care about security and generally tend to make bad decisions when it comes to pass-anythings, be it words or pictures. Hm. As I'm winding down on this post, a new thought: how would one create and enforce what is tantamount to the password requirements (minimum total length; use of special characters, upper and lowercase letters, and numbers; no palindromes; no dictionary words; etc.) in a picture password so that it's not "three circles around three heads"? I bet it's crazy hard.
One of the first things that I thought was: the raw numbers might be on Microsoft's side, but what about users bungling things that should work in theory? I'm sure Microsoft must have done studies using control groups and whatnot...but I'm always amazed at how people can undermine things.
For example, take your standard 4-number PIN: I know a person whose mobile device's PIN is "0". Not "0000" but "0". He thinks it's genius because he's got the "10 wrong tries and delete everything" option set up, and figures that a thief, if brute-forcing his phone, will go for a four-digit number. This is what happens when you don't enforce minimum password lengths.
This person would probably circle the heads of the people that show up on his chosen picture and call it a day. Or maybe he'll tap on them, left to right (as most people are wont to do if they've been raised in a country where people write left to right). Or maybe draw a line through the middle of each one's heads.
Now, Microsoft claims that there's plenty of variation on how people go about tapping, "lining," and circling that this shouldn't be a problem; I think they're underestimating the general public.
I'm not suggesting that the general public is stupid (although, I've met my fair share who couldn't be described otherwise). I'm just saying that most don't really care about security and generally tend to make bad decisions when it comes to pass-anythings, be it words or pictures.
Hm. As I'm winding down on this post, a new thought: how would one create and enforce what is tantamount to the password requirements (minimum total length; use of special characters, upper and lowercase letters, and numbers; no palindromes; no dictionary words; etc.) in a picture password so that it's not "three circles around three heads"? I bet it's crazy hard.
Related Articles and Sites:http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspxhttp://www.digitaltrends.com/computing/microsoft-announces-picture-passwords-for-windows-8/