Picture-Based Password Schemes Have Their Weaknesses

A published study on picture-gesture authentication demonstrates weak points hackers could expose in guessing picture-based passwords.

Typing on a smartphone or tablet keyboard lends itself to a lot of fat-fingered mistakes. Recent updates to mobile operating systems and desktop OSes such as Windows 8, however, have tried to better leverage the touch screen for things such as authentication.

Users, for example, have the option of using their fingers to draw lines, circles or tap certain areas on an image in sequence as an alternative to a text-based password. With users often going the simplest, quickest route with text passwords, or burdening help desks with frequent resets, you would think that a framework such as picture-gesture authentication would be heralded as the next-best alternative, especially for consumers.

But a group of researchers from Arizona State University, Delaware State University and GFS Technology Inc., have tapped the brakes on that notion. Their work looks at how human cognition plays into picture-based authentication, especially around picture selection and what areas on an image a person is likely to use for their authentication scheme. They developed an attack framework—which they hope will eventually morph into a strength meter for this type of authentication—that was able to crack almost half the picture-based authentication passwords used in their study.

“The core of our framework is the concept of a selection function that simulates users’ selection processes in choosing their picture passwords,” the researchers, Ziming Zhao, Gail-Joon Ahn, Jeong-Jin Seo and Hongxin Hu, wrote in their paper, ‘On the Security of Picture Gesture Authentication.‘ “Our approach is not coupled with any specific pictures. Hence, the generation of a ranked password list is then transformed into the generation of a ranked selection function list which is then executed on the target pictures.”

Their work focused on Windows 8’s version of PGA; a similar version is also available on Android devices. Unlike other schemes, Windows 8’s allows users to upload personal photographs, rather than select from an existing repository. Upon registration, the user is asked to draw three gestures with their finger, mouse or stylus that will be used as an authenticator versus a text-based password.

The study also included collecting data from two sets of subjects. The first was a computer science class which participated via a questionnaire that collected not only demographic information, but general feelings toward PGA use, the selection of an background image to be used for authentication and selection of the gestures used for authentication. The other was a crowdsourced effort where 15 pre-selected images were offered subjects as authentication images. More than 700 subjects took part versus 58 in the first set.

The subjects who were allowed to choose personal photographs, the results indicate, did so because the images were special and that made it easier to remember the password gesture sequence, the paper said. The subjects also relayed that it would be easier to remember points on a person rather than a landscape, believing also that made the password more secure because it would be harder for an attacker to guess. Those who did prefer landscapes did so because they were afraid to leak personal information, the paper said.

The gestures are the secret sauce, however, in terms of how guessable picture gesture authentication could be. Like with text-based passwords, users will choose images they relate to (only 10 percent chose a random image in their study) and they will focus gestures on standout facial features such as the eyes or nose, for example, tapping left eye, right eye, nose. Users also gravitate to remarkable shapes, such as circles, and draw circles around them as authenticators, or remarkable colors.

Some notable numbers:

  • 60 percent of subjects find locations where special objects cath their eye
  • 86 percent of subjects drew on the eyes at least once
  • 45 percent of subjects drew on the nose
  • 82 percent of gesture types were taps
  • 15 percent of gesture types were lines
  • 7 percent of gesture types were circles

Picture gesture authentication as it turns out has many of the same limitations of text passwords. The researchers, meanwhile, urged Microsoft and other providers to make this clearer to users and implement a strength measurement, similar to current password meters.

“With a ranked password dictionary, our framework, as the first potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords,” the paper said. “More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework.”

Suggested articles