Windows 8 Picture Password Security Broken



As Microsoft release new operating systems, the way users authenticate to these systems is changing. Windows 8 is no different, and with it comes the introduction of Windows 8 Picture Password. This new feature is specifically aimed at securing the rise of tablets and touch screen capable devices.

The authentication process is based on user gesture and is completely customizable, but how secure is this method over traditional password based authentication systems?

Complexity is key

As with any system, Windows 8 Picture Password authentication is only as secure as the construction and thought that goes into it. Just as the classic example “password” as a password is insecure as it is easily guessable, a gesture password that is predictable in actions is just as vulnerable.

As a basic example, if a user chooses an image with 4 clear points and simply draws a clock-wise line from point to point this would be easily guessable. However, by making this more complex and drawing a variety of shapes this makes a “brute force” style guessing attack significantly more complex.

Windows 8 Picture Password security is the same as any authentication mechanism, complexity is key. A random collection of gesture movements will inevitably be harder to crack than straight lines from left to right.

Windows 8 Picture Password Cracked

However, new research indicates that Windows 8 Picture Password security is relatively weak and easily crackable. Students at Arizona State University have discovered that their models and attack framework allowed 48% of passwords generated on unseen pictures to be cracked. Using a limit of 5 log in attempts, the students discovered that 216 out of 10,000 Windows 8 Picture Password’s were cracked in one data set and 94 out of 10,000 in another. Although this does not represent a significant vulnerability, it equates to 0.9% of passwords being crackable in five attempts using automated tools – a much larger number than Microsoft were anticipating!

The model and attack framework implmented by the students uses a traditional brute force method, while utilising our understanding of human behaviour. As detailed above, the vulnerabilities in these type of authentication systems are based on human behaviour rather than the system itself. The students discovered that humans are naturally drawn towards certain features of images and simple line based gestures. For example, with a picture of a human face, the user will naturally be focusing on facial features rather than the background of the image or other points. This significantly reduces the guessing range for the image (in traditional password terms this may be like removing the letter “w” from all guesses!).

The students have suggested that a password strength indicator is implemented, similarly to traditional text based passwords, where the users gestures are rated on complexity strength. For example – a user drawing predictable patterns on a simple image would be requested to improve their password strength.


Although new gesture based authentication methods may be more personal, fun to use and unique they may be vulnerable to brute force attacks just as traditional authentication mechanisms are. To increase Windows 8 Picture Password Security users are encouraged to transfer the complexity of their character based passwords to gesture based passwords. Gestures need to be unpredictable and random. Images should be selected that do not feature predictable features and, as ever, gestures should be changed frequently.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *