A new study shows that about 1% of all Windows 8 gesture-based passwords are crackable within the first 5 attempts by using a brute-forcing technique.
In a paper presented at the Usenix Conference earlier this month, "On the Security of Picture Gesture Authentication," Ziming Zhao, Gail-Joon Ahn and Jeong-Jin Seo from Arizona State, and Hongxin Hu from Delaware State, claim that their experimental model and attack framework allowed them to crack 48% of passwords for previously unseen pictures in one dataset and 24% in another.
This is with 219 guesses in a password space of 230 possibilities. Within the Windows 8 limit of five login attempts, the success rate is less: 216 out of 10,000 gesture passwords in one data set and 94 of 10,000 in the other one. The success rate improved with additional training data. Using a purely automated attack without supporting information, 0.9% of passwords could be cracked within five guesses.
While gesture-based passwords may be an interesting novelty and kind of fun for the user, what isn't novel or fun is having your password cracked and your device hijacked. Although the percentage of users whose passwords are easily crackable is relatively low, that's still a lot of people. As of May, Microsoft reported that they had sold 100 million units of Windows 8 licenses. 1% of that is still 1 million users. That's 1 million computers that are more vulnerable now than they would be without a gesture password feature.
Also of note is that this study concerns only purely brute-force style attacks. However, it's been known for years that gesture-based passwords are vulnerable to another type of cracking - dirty screens. A study once showed that 92% of screens with smudges on them provide a partially detectable password. 68% of the time, the pattern is completely detectable. So even if your gesture is obscure enough to get past a brute forcer, make sure you clean off your screen after you've entered the password.
For excellent password protection for your PC, Mac, and mobile devices, try Webroot SecureAnywhere Internet Security Plus and its password management features.
people using gesture passwords
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Find me on Twitter!