Microsoft has heavily advertised a new feature for signing into their new touch screen friendly OS, Windows 8. They call it picture passwords. Instead of typing something, you are presented a pre-chosen picture, and you make finger gestures on it. This might come in handy when you don't have a keyboard, but I have uncovered a problem. Picture passwords are hackable.
How does it work? Our skin is constantly producing oils. When we touch things, those oils rub off. Fingerprints have been a way to catch criminals since it was first discovered that each of us has a unique pattern. Finger trails are the vulnerability in picture passwords. You will leave them when you make finger gestures on a touch screen.
I don't know if you can see this, but when I shine a light on this darkened screen, I can see finger trails. One is a circle, one looks like an X, one looks like a line. The line is bolder at its ends as if the screen were touched more firmly there. I asked a friend of mine if I could try to use her computer, as I am new to Windows 8, and wanted to try it. She said yes. Before she could tell me that she would have to log in for me first, I was in.
My friend turned white as a sheet, and asked me "How did you know how to do my picture password? You couldn't have just guessed it, I made it hard!" I then turned her PC back off, and shined a light on the screen, showing her the finger trails. I told her that I had seen picture passwords on a Windows 8 commercial, and thought that they would leave behind finger trails. I wondered if they would be all a hacker needs. They indeed were.
I had thought about it a lot before trying this out. Most people will probably move left to right, because we read that way. If people use a round gesture, they will probably make it clockwise. We naturally prefer it that way. After all, if you start making a circle at the top and move left to right, that is clockwise. If they use taps, they will leave bold spots, and a pattern between them that will reveal their order, because they probably won't pick up their fingers all the way. I was right, and I cannot be the only person who thought of this. I imagine that what I observed will be reversed in countries where they read right to left.
The most obvious thing I can say here is don't use picture passwords. If you do because it is the easiest way with no keyboard, clean your screen every time you use it, and hope that this will always erase the pattern you leave behind. Even with this, skin oils may eventually leave a permanent mark.