A "serious" flaw in the Picture password and PIN authentication methods in the upcoming release of Windows 8 has been discovered.
Passcape Software has reported the problem
and says users should use the authentication system "with caution".
Windows 8 provides improvements for signing into the system. The developers have made it more secure and faster, especially for touch-screen gadgets.
As many users prefer simple passwords or forsake them altogether - increasing the risk of hacking - Windows 8 offers a next generation graphical login instead. Users select a favourite image from their gallery of photos and a set of gestures which appear over the image.
This picture password system is now being tested in the pre-release version for developers. The picture password had seemed "invulnerable", said Passcape, because whoever tries to guess it must know which and what parts of the image to choose, and in addition the gesture sequence.
However, Passcape says that such a unique password is based on a regular account. A user first has to create a regular password-based account and then optionally switch to the picture password or PIN authentication.
Notably, it said, the original plain-text password to the account is still stored in the system and any local user with Admin privileges can decrypt the text passwords of all users whose accounts were set to a PIN or picture password.
"In this regard the picture/PIN login cannot be considered the sole reliable means of ensuring data security against cracking. It is difficult to break but the text password can still be used to log in to the system, so security in Windows 8 is still an issue."