My defense of Microsoft's Windows 8 Picture Password security mechanism

Windows 8 picture password security mechanism. This feature would allow Windows 8 users to select their own personal picture and using their finger gestures make different patterns over the picture to login. Recently though, Kenneth Weiss, inventor of RSA’s SecurID token who now runs a three-factor authentication business called Universal Secure Registry, told Network World that it’s not “serious security,” and that the gestures someone makes upon a screen can be easily recorded from a distance. I think that that criticism is laughable. I have an enterprise security background and have worked on some very complicated security projects. I have a pretty good understanding of application security and while my credentials may not be are not anywhere near as esteemed as Mr. Weiss, it’s pretty clear to me that he missed the bigger point. His words:

“I think it’s cute, I don’t think it’s serious security.” “It’s more like a Fisher-Price toy than a serious choice for secure computer access,” he says. “Still, it’s better than nothing”

First of all saying it’s not serious security lacks context. Microsoft has a user base of undreds of millions of people and I’d dare say 99.99% of those people don’t work inside secret secure facilities. They either use Windows at home or at work or at play and their need for security would probably be pretty regular. This new mechanism is not “better than nothing”, it’s better than what we have now which is (for most users) a guessable password. Most users dont have secure RSA cards or VPN access because most users don’t need them. The majority of users will be able to create a secure gesture which will not be guessable by the average friend, family member or co-worker. Could someone look over your shoulder and see the gesture? Of course! The same way they could look over your shoulder and see the words you’re typing. The same way they could use a keylogger and get access to your password. The same way…. You get the picture. If you work in a secure, military grade establishment, it’s probably not good enough. Also, if you have someone who is determined to get your password and is trying to shadow you that closely, you have bigger problems than Microsoft’s security mechanisms. I’m sorry but this time I have to firmly agree with Microsoft. The picture password security is a big improvement for most consumers. What do you guys think?]]>