You might want to think twice before drawing that Windows 8 picture password, as researchers have found that Microsoft's Picture Gesture Authentication (PGA) system is more Fort Unlocked than Fort Knox.

PGA lets you draw three gestures on an image with your finger, a mouse, or stylus that can then be used as a future password for logging onto the desktop.

However, it can't be a 'free style' gesture, meaning anything that resembles a squiggle is converted into a tap, a line or a circle. The image can come from a local folder, such as the Windows 8 Picture Library, or from the OS's default set.

According to a recent paper published by security researchers at Arizona State University and Delaware State University, the problem is that people aren't very good at drawing random things on pictures.

It found that most pick common points of interest, such as a nose, mouth, whole face, or regions with standout objects.

Cracking up

They discovered this by creating a custom web-based PGA system similar to the one on Windows 8 and asking 685 respondents to draw gesture passwords on two different pictures.

Overall, just 9.8% of respondents said they randomly chose to draw without thinking of the background picture. 60.3% indicated that they attempted to find locations where 'special objects' were, 22.1% where 'special shapes' were, and 8.3% where 'colours are different from their surroundings'.

Using an experimental model and attack framework that generated algorithms based on data from users' responses, the researchers claim they were able to crack 48% of passwords from previously unseen pictures in the first dataset, and 24% in the other data set in another within the Windows 8 limit of five login attempts.

Strength meter

Although the stats don't indicate Windows 8's PGA is completely guessable, it shows that there's some element of risk there.

To improve the security of Windows 8's PGA, the report suggests that Microsoft introduces a picture-password-strength meter similar to the ones that can be found on websites when users select passwords and other security details.