Windows 8 offers picture-gesture password

Microsoft will tackle weak and fiddly alphanumeric passwords in Windows 8 by introducing a secondary login process that relies on taps, lines and circles. 

The sign-in process will be available on desktops but aims to offer a faster sign-in with stronger passwords than using a tablet's soft keyboard, according to Microsoft. 

For example, a three-character password has 81,120 possible combinations, while a three-gesture picture password offers over 1.15 billion in Microsoft's analysis.

Four gestures produces 612 billion combinations, while five creates over 389 trillion. By contrast, five random characters only has 182 million possible combinations.

The setup process involves selecting a personal photo and recording a set of gestures that the user must repeat to gain access. The password includes where on the frame a tap is located, as well as the direction that lines and circles are drawn in. 

"To be clear, picture password is provided as a login mechanism in addition to your text password, not as a replacement for it," said Zach Pace, a program manager on Microsoft's "You Centered Experience" team. 

The feature is disabled after five wrong attempts at which point the sign-in process falls back to the underlying plain text password. The process is only designed for physical access.  

A potential weakness of gestures are smudges left on the screen, which could give away enough for an attacker to guess it, but Pace argued the directional element of gestures offer a far greater number of permutations to a password combination.  

Lines and circles, according to Pace, become the equivalent of using a Shift key while typing in a password.

"For compliant passwords, a person will typically use the Shift key (or another button) to select alternate character sets. This key press will, of course also be visible to the attacker, but it does not indicate when in the sequence the Shift key was utilized," he said.

"For every circle and line used in the gesture set, the number of permutations increases by a factor of two."

A smudge-visible four character PIN, password or purely tap-based gesture has 24 permutations. Adding a shift boosts it up to 96 while a four-gesture line and circle sign-in has 384 possible combinations, Pace noted.

Windows 8 will offer domain administrators the choice to disable the picture password.