Ditching standard alphanumeric password strings sounds crazy, but that's just what Microsoft is doing with Windows 8. The Redmond software company's next big OS will let users sign in with just their smiling faces and a few swipes on a touch screen.
Microsoft Program Manager Zach Pace said that the new picture password feature cuts down the average 30 seconds it takes to input passwords on touch-based machines and yet remains as secure as any blasé word-based code.
"At its core, your picture password is comprised of two complimentary parts," wrote Pace at the Building Windows 8 blog. "There is a picture from your picture collection and a set of gestures that you draw upon it."
Gestures are limited to only three motions: tapping an area, circling a face or person and drawing a line from one area to another. But within that seemingly simplistic concept lies hidden depth.
Each picture is broken down into a grid that measures inputted gestures' coordinates. Stray too far from them, and log-in is denied. Order and directionality also helps secure the password. For example, if users draw a circle first, any attempt that doesn't lead off with that exact circle will fail.
"We take a look at the difference between each gesture and decide whether to authenticate you based on the amount of error in the set," said Pace. "If a gesture type is wrong - it should be a circle, but instead it's a line - authentication will always fail."
To ensure users aren't pulling out their hair over lock-outs caused by minor errors, the picture password system will offer leeway not afforded by traditional passwords.
"When the types, ordering, and directionality are all correct, we take a look at how far off each gesture was from the ones we've seen before, and decide if it's close enough to authenticate you," explained Pace.
Microsoft had experimented with a more free-form gesture system at one point in the software's development, but axed it after realizing that it significantly increased the time it took test users to sign in, negating the entire purpose of the new system.
"They were slowed down by the concept, feeling that they needed to be unnecessarily precise and trace fine details in an image," said Pace.
One group the company does want to slow down, however, is hackers. Two default security features should make picture passwords tougher to crack through brute force or trial attacks.
"Similar to the lock out feature on phones using PIN, when you enter your picture password incorrectly five times, you are prevented from using the feature again until you sign in with your plain text password," said Pace.
Users satisfied with the time-tested alphanumeric model and worried everything will change when Windows 8 launches can put away their mean looks and pitchforks. Despite being "very happy" with how the picture password system turned out, Microsoft won't force it on anyone. Those who are curious but leery can couple it with a text-based code for the best of both worlds or ignore it altogether, confirmed Pace.
Would you rely on a picture password to protect your computer? Let us know in the comment section.
