It appears that picture gesture authentication (PGA) achieves only one of the two. Security researchers at Arizona State University and Delaware State University have found that Windows 8 picture passwords can be cracked with relative ease.
In a paper presented at the Usenix Conference earlier this month, "On the Security of Picture Gesture Authentication," Ziming Zhao, Gail-Joon Ahn and Jeong-Jin Seo from Arizona State, and Hongxin Hu from Delaware State, claim that their experimental model and attack framework allowed them to crack 48% of passwords for previously unseen pictures in one dataset and 24% in another.
[ Can you see the cyber warning shots? Read NY Times Caught In Syrian Hacker Attack. ]
This is with 219 guesses in a password space of 230 possibilities. Within the Windows 8 limit of five login attempts, the success rate is less: 216 out of 10,000 gesture passwords in one data set and 94 of 10,000 in the other one. The success rate improved with additional training data. Using a purely automated attack without supporting information, 0.9% of passwords could be cracked within five guesses.
Though that may not seem like a significant vulnerability, the fact remains that gesture-based passwords aren't as secure as Microsoft had hoped. In an email, Ahn said he expected the results could be improved with a larger training set and stronger picture categorization and computer vision techniques.
Setting up a gesture-based password involves choosing a photo from one's Picture Library folder and drawing three points on the image. The system accepts taps, lines and circles. Windows 8 subdivides the image into a 100 x 100 grid and stores the input points as grid coordinates.
Unfortunately, users aren't very good at selecting random points on their images; they tend to pick common points of interest, such as eyes, faces or discrete objects. As a result, passwords derived from this constrained set have much less variability than randomly generated passwords. So they're easier to crack.
Ahn says you only need to look at Microsoft's Windows 8 ads, which show users selecting obvious points of interest to form PGA passwords, to see that Microsoft's approach needs improvement.
The research paper suggests that Microsoft implement a picture-password-strength meter, similar to systems that prevent people from choosing weak text-based passwords. It also suggests that Microsoft integrate the researchers' PGA attack framework to inform users of the potential number of guesses it would take to access their system.