Setting up picture password in Windows 8. (Microsoft image)

Windows 8’s Picture Password feature — which will let users sign in by drawing a personalized pattern across a photo on the screen — is like a “Fisher Price Toy” of computer security. So says Kenneth Weiss, the inventor of RSA’s SecurID token, in this Network World piece.

The main flaw, Weiss says, is the ability to record video from a distance of the password being created or used.

“I think it’s cute,” he tells the site. “I don’t think it’s serious security.”

Microsoft’s engineering team detailed the security behind the picture password in this recent post, while acknowledging that it won’t be something everyone will want to use, particularly in corporate situations.

“Although we’re very happy with the robustness of a picture password, we know that there are a variety of businesses for which security is paramount, and anything less than a full password is unacceptable,” wrote Microsoft’s Zach Pace in the post. “As such, we’ve implemented group policy that gives a domain administrator the freedom to choose whether picture password can be used. And of course, on your home PC, picture password is optional as well.”

Picture password is one example of how Microsoft is adopting some of the features from mobile phones in its new PC operating system.

Windows 8 is widely expected to be released sometime in 2012, after a public beta in February.

Comments

  • http://www.number8wire.com/ Richard

    A vulnerability that passwords on keyboards have too, or touchscreens in general. You could also do something similar to a keyboard using a microphone rather than a camera[applying http://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html ]
    I wonder if “iPad vulnerable to shoulder surfing – unsuitable for corporate use” would get more or fewer hits?It’s as if he has a product to sell.

Job Listings on GeekWork