Windows 8 and Windows RT Users can choose any picture, and then "annotate" it with three finger movements. However, researchers say that visual passwords are less secure than even a simple 4-digit PIN.

Microsoft's own paper on the design, implementation and likely strength of picture passwords estimates that there are just over 1.155 billion possible picture passwords if three gestures are used.


Four security researchers from Arizona State University and Delaware State University tried to measure the safety of picture passwords in a research paper, titled On the Security of Picture Gesture Authentication (PDF). The paper was presented at last month's USENIX Security Symposium (summary and video here).

According to the researchers behind the USENIX paper, the weakness is that the point of interest in a picture users might tap on and the gesture they might make can be guessed. The chosen pattern is easily guessed. Using a test set of just over 10,000 passwords and 800 subjects, the Arizona State University and Delaware State University team reckon that automated point of recognition and other techniques can be used to guess visual gesture-based passwords correctly in 19 out of 1000 cases, given five attempts. The first guess alone would work in around nine in 1000 cases. Manual point of interest recognition offers even better results with a 26 in 1000 chance of hitting on the right gesture within five attempts.

So the security of picture passwords is a lot less than the three-in-10,000 chance of correctly guessing a randomly chosen four-digit SIM or credit card PIN before subsequent re-tries are blocked. In practice, however device unlock numbers are often not chosen randomly; something that limits their security.