In a blog post published Friday, Microsoft talks about their latest technology currently in Developer Preview – and it has to do with security. Passwords, to be specific.
But not just ordinary alphanumeric passwords. The dev team talks about what they hope to be the future of Windows 8 security – picture passwords.
First off, they begin with the premise that creating a solid alphanumeric password is important, but all of the “capitalize one letter” and “include at least two punctuation marks” types of requirements has made the process unnecessarily cumbersome – especially when trying to enter them on smartphones. Even the PIN system of 4 or so numbers (like you see on the iPhone) is tricky for two reason: On one hand, you want something that’s easy to remember, but common passwords like 1234 and 9999 are the most easily guessed. So you might want to pick a sequence that means something to you. like your birthday – but then that can be broken if someone has even the slightest bit of info about you.
Their solution is the picture password, and it’s pretty simple.
It basically works on four variables. Type of gesture, location of gesture, direction of gesture and order or gesture.
When a user sets up a picture password, they pick their own picture from their library. It could be a photo of the user and their dog, or a family photo from last Thanksgiving. The point is that’s is specific and personal to the user. They are then given a grid to set up their gestures.
There are three types of gestures: a single point, a circle, and a line. The password is a set of these three gestures. On that hypothetical picture my dog and me, I could for instance draw a circle around the dog’s head, and line from his paw to my face, and a dot on my right knee. Here’s how it looks on one of Microsoft’s text photos:
When the system is judging your swipes to see if you are allowed entry, it takes into account not only the location of your swipes (as in did I draw the line from the paw to the face), but the direction of those gestures and the order in which I perform the three gestures. So, where I begin my circle gesture around the head or which direction I draw the line matters.
According to Microsoft’s test, people were able to complete the gestures in less than 4 seconds. And the combination of gestures is far wider than that or a PIN. In fact, a three-gesture picture password (1,155,509,083) provides about the same “security promise” (measured in possible combinations) as a 5-6 character password.
And what about smudges? They remind us that since the direction of gestures and order or gestures matter, smudges giving your password away shouldn’t be a huge concern:
We’ve also taken some practical considerations to protect you if you use Picture Password. People are often concerned with the smudges left behind on a touch screen and how easy or hard it would be to divine your password based on those markings. Because the order of gestures, their direction and location all matter, it makes the prospect of guessing the correct gesture set based on smudging very difficult even in the completely clean screen case, let alone on a screen that sees regular touch use.
Not quite as awesome as that virtual reality HoloDesk thing – but nicely played, Microsoft.
What do you think? Would you like to draw on a family photo in order to unlock your device? Let us know in the comments.