Researchers over at Arizona State University and Delaware State University have claimed that Microsoft’s Picture Gesture Authentication (PGA) system might not be as secure as claimed and the primary reason behind its failure is the inability of people to draw random things on picture.

According to the paper published recently most people pick common points of interest such as hair, mouth, nose or areas in a picture that basically stand out. Further, the way PGA works is that it lets you three gestures on an image of users’ choice using either finger or mouse or stylus. Once the gestures are recorded they will be matched in future for logging the user onto the desktop.

There is a catch here though! The PGA doesn’t accept ‘free style’ gesture, which means that a user will have to either tap on the screen, or draw a line or draw a circle. If a user goes ahead with a ‘free style’ gesture, the PGA will convert it into a tap or line or circle.

In a bid to checkup on the actual strength of PGA the team of researches created a custom web-based PGA and as part of their study asked 685 respondents to draw gestures on two different pictures. When the team asked the respondents on how did they decide what to draw, 60 per cent of the respondents revealed that they tried to find a ‘special object’ on which they can draw; 22 per cent said that they drew where the ‘special shapes’ were; 10 per cent of respondents said that they randomly drew without thinking of the background.

Researchers then went about attacking the stored gestures using an attack framework that generated algorithms based on data collected through users’ responses. The researchers claim that they managed to crack nearly half of all passwords in the first dataset and nearly 25 per cent of passwords on the other data set within five login attempts.

The researchers are not claiming that Microsoft’s PGA is 100 per cent guessable, but they have established that there is still some risk involved. The team has suggested that Microsoft implement some sort of meter – a password-strength meter to be precise – notifying users about the complexity of password they have chosen.

This is not the first time the strength of Windows 8’s picture password has been challenged. Back in October last year password recovery software maker Passcape Software claimed that the picture password mechanism was flawed.