Dr. Hongxin Hu, DSU assistant professor of computer science, is part of a research team that has raised security concerns over a relatively new “picture password” that comes with the Microsoft Windows 8, the latest operating system to come from that software giant.
Dr. Hu along with three researchers from Arizona State University – Dr. Gail-Joon Ahn, professor of computer science; doctoral student Ziming Zhao; and master degree student Jeong-Jin Seo – have co-authored a paper that details how they have developed algorithms that reveal vulnerabilities in the otherwise innovative picture password.
Windows 8’s picture password allows users to use “gesture” passwords – to pick points on a photo image by a sequence of tapping, making a circle or drawing a line all with one finger – instead of using the tradition text-based password system.
In their paper – “On the Security of Picture Gesture Authentication” – presented at the Aug. 14-16 USENIX Security Symposium in Washington, D.C., the researchers say that people’s choices of “gesture passwords” tended to follow predictable patterns.
Dr. Hu and his research colleagues claim in the paper that they collected more than 10,000 picture passwords from over 800 subjects through online user studies. The passwords were connected with a variety of images, which included people, animals, landscape, civilization and computer generated pictures.
By developing algorithms that identified the points of interest that users were likely to choose for password patterns, the research team – led by Dr. Ahn – was able to crack 48.8% of the passwords for previously unseen pictures in one dataset and 24.0% in another, according to their paper.
“We implemented a picture-password-strength meter,” Dr. Hu said. He added that was a critical part of the research project.
The paper has inspired a number of articles in the U.S. and the United Kingdom in computer and technology related publications and media websites.
Dr. Ahn was the DSU assistant professor’s doctoral advisor at ASU.
Efforts to get comment from Microsoft were unsuccessful.