This flaw was widely known in the mobile industry when Windows 8 was being developed so we have to wonder what Microsoft was thinking when they decided to create a security option that was very similar to the failed one in Android. Considering the news that this new security system is easily broken it would seem a very foolish choice. However, we took a look at the original concept and although it is flawed, there is a decent amount of logic to why they went this direction and what they felt would protect it.
Now remember the Android security scheme had dots that were visible on the screen. If you looked at the screen at the proper angle the path your finger traces between the dots is visible. This makes it very simple to figure out what the person was doing. Even direction is easy to determine by the thickness of the start point. With Microsoft’s system the points were not known to someone trying to access the system. The end user was allowed to pick any picture they wanted and identify the points, gestures and patterns to use for unlocking. The logic behind this system would seem solid, but it was not. You see hackers and other malicious people have moved into new areas that security has not caught up to yet. They have an understanding of user psychology and also user habits that many security engineers do not incorporate into their designs.
There is also the small problem with the number of possible combinations. Microsoft says that there are 1.155 Billion possible combinations with their picture password system which is around the same number of password combinations you get with 6 character passwords if you only us letters. I do not know of any security experts that would recommend and alpha only password of 6 characters simply because they are too easy to hack. Here the numbers are not in Microsoft’s favor.
On top of the numbers we have something that we alluded to earlier; social engineering. According to researchers people will chose an image that has meaning for them. This can make it easier for a malicious individual to find the starting points and from indicators on the screen they can figure out where the gestures are centered. This increases the chance of guessing the “password” considerably. The combination makes the scheme much less secure than the 6 character password which we know if not secure. In fact even with the 5-try lockout feature you are still likely to “guess” the gesture based password 26 times out of 1,000. This might not sound like it is all that bad, but it actually is compared to other methods of protection.
So it seems that while Microsoft had good logic behind their new system, they failed to imagine that people would chose pictures that were easy to guess and that their three gesture system (tap-stroke-circle) would be easier to hack than a four digit PIN. There is also the possibility that malicious individuals might be able to pull gesture “passwords” from the security database in the same manner than passwords, hashes and hints can be (a fairly sizable flaw in Windows 8 right now). If this is the case then there would be no need to even try to guess the gestures, a bad guy can just pull them from device and get in. We are pretty sure that Microsoft did not envision this type of system penetration in their latest OS and we know that this is one of the reasons that many businesses are not moving to Windows 8 just yet.
Tell us what you think in our Forum