Microsoft is talking a lot about passwords lately. Earlier this week the company posted on its Building Windows 8 blog a lengthy post detailing the problems with current passwords, and how Windows 8 will solve them.
Then Microsoft published another lengthy post Friday outlining why one of those solutions, Picture Password, is so great. It's a fairly convincing argument, even if it's laced with many assumptions.
The essence of Picture Password is to use one of your own personal photos as a key to the device. It'll only work for a touchscreen device — a smartphone, tablet or touchscreen PC — since it involves tracking finger gestures on the screen.
Once you pick a photo to use, Picture Password records three gestures that you "draw" on the screen. Each gesture must be either a tap, a drawn line between two points, or a circle. Once you've entered them, the device will call up the photo at login, prompting you to duplicate them. If you get them all correct, in the right order AND in the right direction (for lines and circles), you have access.
Why just the three gestures instead of free-form movements, which would probably be more secure? Time. Microsoft found in its testing that people took much longer to duplicate free-from gestures than simple shapes, making the tool a chore.
It turns out that taps, circles and lines are secure enough, and Microsoft presents the math to prove it. Comparing PINs, typical alphanumeric passwords and gestures, Microsoft shows that its Picture Password trick is harder to crack than common login methods — by several orders of magnitude.
Lest you think you'll need to duplicate your gestures precisely, Picture Password is more forgiving than that. An algorithm detects how dead-on your movements are, and if you're close enough (90%), you'll get in. The more important things to get right are the order and direction of the gestures.
If you're still suspicious, Microsoft says Picture Password is meant as a companion to a text password, not a replacement. On non-touchscreen machines, text would be the only option anyway. (Tip: Do not choose one of the 25 Worst Passwords of 2011.)
The new feature is also just one of several ways the company says it's making the next version of Windows more secure and easier to use. Besides photos, Windows 8 can sync your login across several devices via Windows Live. It also provides a way for developers to create apps that remember passwords the same way Internet Explorer does. On top of that, apps will all be able to use highly secure public/private key logins — a kind of "virtual smart card" — which are immune to things like keyloggers and phishing.
One thing Microsoft doesn't mention is using a device's camera to recognize the face of the person trying to log in, a security feature Google promotes in the latest version of Android, "Ice Cream Sandwich." Considering the feature didn't work properly when Google first unveiled it and that users have subsqeuently showed it can be defeated with a photograph, it's probably just as well.
Do you see any weaknesses in Picture Password? And would you use it if you had the option? Let us know in the comments.
No hay comentarios:
Publicar un comentario