Windows 8 picture passwords: Their great untapped potential

Love it or hate it, Windows 8 is the bellwether for PCs. Where Microsoft goes, PCs follow. And now Microsoft is making a grab for the mobile market, too. The latest version of Windows is designed with touchscreens in mind, and one bright side of that evolution is the addition of features that make Windows more intuitive and easier to use on all devices.

Windows 8 picture passwords are an example of such a feature--a new, alternative password system that most Windows 8 users aren't even aware of.

Actually, the term picture password is a bit of a misnomer. Sure, the password allows you log in to your machine using a picture instead of an alphanumeric string of characters, but what you're actually doing is sketching a custom sequence of gestures on top of a picture to verify your identity. For example, if you use a photo of a your family, you might sketch a straight line from one person's nose to the next person's nose. Calling these passwords gesture passwords would be more appropriate, but admittedly, that name doesn't have the same alliterative appeal.

Worse, highlighting the feature's similarity to the gesture-based login systems on phones and tablets could further alienate die-hard desktop owners already leery of Windows 8. And that's a shame, because picture passwords are a nice alternative to traditional passwords and should have been integrated into PC operating systems a long time ago.

Such password aren't inherently better than your old alphanumeric passwords, but they could be a more convenient (and no less secure) way to log in to your PC.

Gestures are an alternative, not an improvement

Microsoft clearly designed picture passwords with mobile devices in mind, since trying to type a traditional 8- to 16-character alphanumeric password with a virtual keyboard is a recipe for rage. That said, the picture password feature works well enough on nontouch systems too--simply substitute your mouse for your fingertip.

Sketching a series of complex gestures takes a little longer than typing a traditional alphanumeric string on a desktop PC (long live the keyboard), but it's still easier than remembering a complex string of characters; and it's roughly equivalent in terms of security. And, arguably, picture passwords are a little more secure on desktops than on touchscreen devices, because you don't have to worry about anyone guessing your gesture password by examining your monitor for greasy fingerprints.

That last scenario may sound like something out of a trashy espionage thriller, but the threat of a "smudge attack" is real enough to warrant serious study. Researchers at the University of Pennsylvania coined the term in 2010 when they were able to successfully deduce gesture passwords used to unlock Android phones from smudge marks left on the screen. You can read the full study for more details, but the most important takeaway is that while gestures are faster, simpler, and more convenient to use when you're logging in to a touch-capable device, they have their own unique vulnerabilities and aren't necessarily any safer than traditional alphanumeric passwords.

We're likely to see a rash of new hacking techniques targeted specifically at touchscreen PCs, so if you're going to add a gesture password to your Windows 8 PC, make sure it's a good one.

How to create a strong picture password

Thankfully, setting up a picture password in Windows 8 is child's play. Just remember that you need to have a locally accessible image to use as the foundation of your picture password before you begin. You also need an alphanumeric password linked to your account in case of emergency, so make sure it's something strong. If the picture password feature fails for any reason, or if you simply forget the gestures you've chosen, you can use your plain-text password to log in to your system.

First, press the Win-W key combination and search for Picture Password. Under the Settings category of results, you should find an entry for Change to create picture password; launching that wizard is the first step in creating your custom picture password.

When the picture password wizard first opens, you're greeted with a big ol' page of PC Settings. Click the Create picture password button about halfway down the page. If you haven't already assigned a plain-text password to your account, you must take care of that before Windows 8 will allow you to continue.

After clicking the 'Create picture password button, you'll be asked to enter your plain-text password. Once Windows 8 verifies that you are who you say you are, you must sit through a quick animation that explains the types of gestures you can assign to your picture. In short, you can use any combination of three taps/clicks, straight-line drags, and/or circles.

Click the Choose picture button, browse to your preferred image directory, and choose the image you'd like to use as a base for your gestures. The picture is the only thing you'll see when logging in, so try to pick an image with a resolution sufficient that the image remains attractive when splayed across your screen. Once you select the image, you're asked to position it on-screen; simply drag the image to your desired location and click the Use this picture button.

Time to start gesturing. This process is obviously designed for touchscreen PCs and tablets, but it works with a mouse as well. Remember the order and direction of all of the gestures you drew on the screen; if you draw a line from left to right in the image, for example, you'll also have to draw the line from left to right when unlocking your system.

For maximum security, avoid taps and use circles and lines exclusively. These gestures are harder to guess because they incorporate both positional data and directional data, so an unauthorized user would need to correctly deduce the start point, end point, and direction of your gesture. Every security expert we spoke to about this process cautioned against using gestures that follow the contours of the image in predictable ways, like circling faces or drawing lines between landmarks. Instead, pick an image with strong contrast to create bright reference points, and come up with a creative, convoluted series of gestures to make your password extra strong.

Once you've finished doodling your new password, you should be ready to rock. Window 8 defaults to the picture password anytime the system is locked or restarted, and ideally all you have to do is draw your gestures on screen to unlock the system.

If you want to switch gears and input your plaintext password instead, just tap the corresponding button in the left pane of the picture password screen. You should also be aware that picture password logins can be disabled from within the Windows 8 group policy editor; many businesses do not allow picture passwords to be used on networked machines for security reasons, so be prepared for that if you plan to bring your Windows 8 device to work.