For Windows 8, Microsoft is a preparing a new way to log in to tablet PCs by letting users perform gestures on the screen instead of typing in letters and numbers. A user will choose a photo with some personal meaning to them, and create a sequence of taps, lines, and circles which must be performed in the right order to unlock the computer.

The obvious question is whether such a system is as secure as typing a password on a keyboard. Given the kinds of simple passwords many users rely upon, the gesture-based system could well be more secure for numerous people. Microsoft acknowledges that smudges on the screen or recording devices could theoretically allow the gesture password to be compromised, but says the risk is very low.

Not everyone agrees. Kenneth Weiss, inventor of RSA's SecurID token who now runs a three-factor authentication business called Universal Secure Registry, told Network World that it's not "serious security," that the gestures someone makes upon a screen can be easily recorded from a distance.

In two posts on the Building Windows 8 blog, Microsoft officials acknowledge the potential ways in which a picture password could be compromised, but say the number of password combinations allowed by the system is so vast that it will end up providing extra security. For example, Microsoft says a picture password composed of five gestures can be completed in 398 trillion ways. By contrast, a five-character password with letters and other types of characters typed into a keyboard provides only 182 million combinations, while an eight-character password allows 9 trillion combinations.

If a picture password were composed only of lines, it would be significantly easier to guess. Microsoft says the combination of drawing lines and circles, and tapping on certain points of the screen, exponentially increases the number of ways in which a password can be completed. A video demonstration shows Microsoft program manager Zach Pace logging in to a tablet with a family photo by circling his father's head, drawing a line between his sisters' noses and then tapping his mother's nose. The option to switch to one's regular password is also seen on the login screen.

"The use of three gestures [lines, circles, and taps] provides a significant number of unique gesture combinations and a similar security promise to a password of 5 or 6 randomly chosen characters," Microsoft writes. "Additionally, using three gestures ensures a Picture Password that is easy to remember and quick to use."

Microsoft briefly mentions the possibility of a user being recorded. "As with all forms of authentication, when entering your picture password, avoid allowing other people to watch you as you sign in. Keep your computer in a secure location where unauthorized people do not have physical access to it," the company advises. "As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen."

Don't let your smudges betray you

Microsoft goes into quite a bit more detail about the possibility of smudges on a touchscreen revealing a user's unique combination. Just as typing a PIN can leave smudges on the spots where a user touches the on-screen keyboard, making gestures such as lines, circles and taps will leave some residue. But it won't reveal the order in which the gestures are made, and could be obscured by other gestures a user makes typing e-mail, using applications or surfing the Web.

Microsoft considered shrinking the size of the image, and displaying it at random positions and slight rotations to minimize the risk of smudges building up in a more easily readable fashion. It turns out that "while shifting the image could reduce the buildup of smudges in specific spots, there were even more prominent 'clouds' of taps, lines and circles that were identical relative to each other," Microsoft said. "With this information, an attacker could easily figure out the gestures relative to each other. With that information, it was a simple exercise to move them around the picture until they appeared to coincide with significant elements of the picture."

While Windows 8 doesn't come out in finished form until sometime next year, Microsoft appears to have decided that shifting the location of the picture offers no improvement in security, and makes the user experience less smooth. "In reality, using smudges is very difficult," Microsoft said. "When we took tablets that had been used for a number of days by folks, there were typically too many smudges to even begin to deduce their gesture set. Even when we were given their login sequence and knew what to look for we had limited success."

Amol Sarwate, research manager at security management vendor Qualys, tells Ars he believes the picture password is a step up from alphanumeric ones when it comes to helping users create passwords that are easy for them to remember yet difficult for password cracking tools to detect. "Based on your gestures, the circles you draw, the size of the circle, the direction of the circle, the lines that you draw on the screen, the machine creates a password which is virtually impossible to crack," he says.

The picture password could make it easier to record or view gestures, but "if someone is really targeting you, if you are such a point of interest, they could as well record what you're typing on the keyboard," he says.

Microsoft offers some advice to potential Windows 8 users, such as picking a photograph with at least 10 points of interest (a person's face or some type of landmark), using a random mix of gesture types and sequences and directions, and frequently cleaning the screen. Just as with today's alphanumeric passwords, security is largely dependent on users to create complex sequences and keep their devices safe from theft or loss.