Microsoft's picture-authentication welcomed given password fatigue

The Microsoft picture password available on Windows 8 tablets and touch-enabled PCs has piqued the interest of security experts, who see it as an experiment in ways to combat people's password fatigue.

With the new sign-in method, people unlock a device by using their finger or mouse to draw a pattern on a picture of their choosing. Any combination of three gestures can be used: a circle, straight line or tap.

Experts say Microsoft has not created a better alternative to a well-crafted password, one that uses letters, numbers and symbols. Instead, the company is offering something that's more fun and is certainly as good as the sign-in methods used on the Apple iPhone and Android devices.

While not groundbreaking from a security perspective, Microsoft's experimentation is welcomed in the industry, which studies show is still struggling to get people to use more secure passwords than "password," "123456" and "12345678."

"Experimenting in this field is highly needed," said Daniel Palacio, business development lead for two-factor authentication vendor Authy. "We've had passwords for almost 20 years now. People are very tired of them, but there's not any real good alternative."

From a security perspective, picture passwords have a number of weaknesses that make them a poor choice for corporations. The most obvious negative is the lack of support in Microsoft's Active Directory, the software used to authenticate and authorize all users and computers in a Windows domain network.

[Also see: Critics urge end of passwords, but alternatives not ready for prime time]

In addition, picture passwords can be recorded through malware on an infected computer, similar to how a malicious keylogger records taps on a keyboard. Also, someone can easily see the patterns other people are using to log into PCs.

"A corporate setting is the worst place for a technology thwarted by shoulder surfing," said Chester Wisniewski, a senior security adviser for Sohos. "It would be trivial to access other people's PCs."

Like alphanumeric passwords, people will need to learn best practices when using pictures to avoid having an experienced hacker guess the pattern. Pictures with distinct points of interest, for example, make it easier to figure out what components are used, said Court Little, senior service architect for Solutionary.Ã'Â

Also, drawing gestures from left to right and making logical, as opposed to random, choices weaken the security, he said

Essentially, just like with passwords, using a picture has its good and bad practices and people need to learn them, particularly if the adoption rate rises dramatically over the next few years.

"This could become a bigger and bigger problem going forward, if people pick passwords that are easy to predict and track," Little said.

Read more about access control in CSOonline's Access Control section.