Posey's Tips & Tricks

What's To Become of Passwords in Windows 8?

Will facial recognition and photo manipulation replace the traditional password in Microsoft's next OS?

• By Brien Posey
• 02/24/2012

I first started working in IT when I was about 16 years old. My father used to be a bigwig at a large company and he would let me come in after school and on the weekends to help out with the computers since nobody on staff knew much about them. That was about 23 years ago. As you can imagine, practically every aspect of computing has changed since I first started out in the 1980s (wow, I feel old).

Even so, there are at least a couple of things that have changed very little. Keyboards, for instance, are still very similar to the ones from the '80s, aside from being wireless and having a few extra keys. Another thing that hasn't evolved very much is passwords. I can recall even back then being required to use an eight-character password and to change it on a periodic basis. Today there are mechanisms to require password complexity and to prevent the reuse of previously used passwords, but aside from that not a lot has changed. Sure, some organizations use biometric passwords or even smart cards, but the practice is still a long way from being universally adopted.

Even though mainstream password usage hasn't changed much over the last couple of decades, it appears as though Windows 8 is going to offer some new options.

Like every version of Windows since 3.11, Windows 8 is still going to allow full support for alpha numeric passwords. It appears however, that there are going to be a couple of new options as well.

One of the new options is something that Microsoft is calling picture passwords. The basic idea is that rather than entering a traditional password, you can use a touch-screen device to doodle on a picture that appears on a password screen. For example, in a Microsoft demo video someone used a picture of their family as the basis for a picture password. They circled their father's head, drew a line from one sister's nose to another sister's nose, and then tapped their mother's nose. These gestures were used as a password.

Windows not only looks at the order and position of the gestures, but it also takes direction into account. For example, in the demo video the first password gesture involved drawing a circle. Not only does the circle have to be in the correct location, but it has to be drawn in the same direction (clockwise or counter clockwise). Lines also have to be drawn in a consistent direction. If the password was originally defined using a line that was drawn from the top of the screen to the bottom then entering the password would require the line to be drawn from the top to the bottom of the screen (not from the bottom to the top).

The other new password feature is unconfirmed at this point, but I have been hearing a lot of rumors that Windows 8 will support facial recognition in place of passwords. This rumor seems plausible since virtually every laptop, tablet and smartphone being sold today has a built-in camera.

Of course one can't help but wonder how these new password features will play out in the real world. As someone who has been using alpha numeric passwords on a Windows 8 tablet since last fall, I have to tell you that I am seriously considering using a picture password when the next Windows build is made available. I think that picture passwords will offer better security and faster, less tedious logins.

Still, I have to wonder about resetting a forgotten picture password. Windows 7 helps users to cope with forgotten passwords by creating a password reset disk. While this same feature could still exist in Windows 8, it would be tough to implement on tablets and smart phones unless the password reset disk took the form of a USB flash drive or an SD card.

If facial recognition does prove to be an official Windows 8 feature, then it could be used as a password reset mechanism. If someone forgets their picture password then Windows might be able to look at the personls face, confirm their identity, and reset the password.

If facial recognition does end up being a Windows 8 feature, I also wonder how easy it would be to fool the software. For example, would it be possible to hold a photograph of someone up to the camera in an effort to trick Windows into letting you log in as that person? Hopefully a PIN would also be required as a way of foiling such exploits.

It remains to be seen which password technologies will officially be supported in Windows 8. In any case, I think that Microsoft's attempts to modernize the decades-old password entry process should be applauded, even if this initial attempt proves not to be perfect.