Introduction

When you first think of the concept of a picture password, you may think of something like the old TV show classic “Concentration,” or a typical emoji-based conversation — a bunch of pictograms coming together to create a specific phrase or idea. In reality, however, it’s actually much more similar to a hidden object game: there are specific elements in a picture that the user decides are important and you can only progress once those criteria are met. 

PINs (Personal Identification Number), on the other hand, are something that most people are very familiar with — a set of numbers that act as proof that you are authorized to use whatever it is that the PIN is tied to. 

In recent years, both of these elements have been incorporated into various Windows operating systems and can be used in place of a traditional username and password login. 

Picture passwords

Picture passwords have been around for some time now, though they still aren’t really in widespread use. But it’s easy to see why a security-minded person might want to trade a password that can be captured via a keylogger for an authentication method that only requires a mouse, producing a theoretically far more secure authentication mechanism. 

In addition, people that heavily use Microsoft’s Accessibility options or tablet-mode laptops could find this far faster and less frustrating than entering a password with an onscreen keyboard.

Here’s how you activate it:

  • To activate a picture password, you’ll first want to click on Start and go to Settings
  • From here, you’re going to want to click on the Accounts option under Windows Settings
  • After this, you’ll see a number of available options underneath the Accounts menu on the Left side of the screen. You’ll want to select Sign-in options
  • On the right side of the screen, you’ll see several different options for authentication, including Picture Password
  • You’re now in the Picture Password setup wizard. It will guide you through a number of options, including selecting a picture and showing you how to draw gestures on the image to show what is important

Here’s where the weaknesses of the picture password come into play. 

Traditional passwords have a particular set of criteria that most users tend to fall into that reduce the security of strong passwords: writing them on a sticky note, changing one key value in the password each time or some other method of creating a pattern. 

Picture passwords, unfortunately, fall into their own pattern just as easily. Circling a sun, drawing a line from nose to nose, following the top of a fence and other relatively obvious factors may make this significantly weaker than the user initially thought. You’re also only making three gestures as your picture password, which really isn’t much but could be excused. 

The larger problem, however, is that Windows wants you to use this on a monitor that you use all the time. Again, this could be considered not a big deal if you’re on a device that has a screen hardwired to it, but multi-monitor setups, graphics equipment swaps or other troubleshooting techniques could be problematic if the user forgets their regular password. 

The most important factor is that Windows doesn’t actually know what the picture is. You choose your picture, then Windows overlays a grid on top of that picture; it tracks the coordinates of your movements, then gives a bit of wiggle room beyond that. If the picture’s size suddenly changes, that could throw your password out of alignment. 

PINs

Many users in secure environments may be wondering why PINs would be considered a new thing, since anyone using a Common Access Card, RSA authenticator or similar technology also uses a PIN along with their hardware for two-factor authentication (2FA). 

The key difference is in what you’re authenticating to. A traditional 2FA authentication method using a PIN authenticates you to the server from any device on the network. A Windows 10 PIN, on the other hand, is only good on one specific machine — it can only be used there and is tied to that particular device. Theoretically, then, if someone was going to try to take over your account in this way, they would also have to steal your Windows 10 machine to use this method (which tends to throw up red flags pretty quickly).

To set up a Windows 10 PIN, you’re going to want to go to the same location we went to for Picture Passwords: Start → Settings → Accounts → Sign-in Options. Once you’re here, you’ll see an option for PIN.

Conclusion

What makes PINs interesting is that they are a prerequisite for other options available in Windows Hello — a set of biometric authentication methods such as fingerprint or facial recognition — it’s a backup in case something happens where you can’t authenticate properly. While the specifics of this are beyond the scope of this article, you can check out more information about Windows Hello here

There are several different reasons why users might want to move to either of these options, but the biggest one by far is that this is what they are used to on a mobile device. Swiping a pattern or PIN to log in takes about two seconds on a mobile device, while typing in a password may take significantly longer if you aren’t a proficient typist. 

Microsoft is also trying to change the rules of the game when it comes to password hijacking. If everyone isn’t using the same set of inputs, it immediately complicates matters for someone attempting to break in easily.

Neither of these are true 2FA, but for an organization on a budget or even just an individual, it’s worth looking into non-traditional authentication methods if you are concerned about your security. Please be sure to do your homework, however, and see if the strengths and weaknesses you’re trading are worth it to you. 

Sources

  1. Picture password, Computer Hope
  2. Windows 10 picture password: Draw your own conclusions about its safety, PCWorld
  3. How to Set Up a Picture Password in Windows 10, How-To Geek
  4. How to Log Into Windows 10 With a Picture Password, PCMag
  5. Signing in with a picture password, Building Windows 8
  6. Why a PIN is better than a password, Microsoft Docs
  7. Windows 10: Use a PIN Instead of a Password to Sign In, Petri

Be Safe

Section Guide

Kurt
Ellzey

View more articles from Kurt

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Kurt
Ellzey

View more articles from Kurt