Windows 8 Offers New Password Features

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe


  1. Nick Gonzales · January 16, 2012

    The gesture password idea I think is absolutely awesome, but I can’t get over the first thing that got brought up. Microsoft wants me to store all of my passwords in one location on my computer and allow websites to access this information on its own? Doesn’t that seem like a gigantic red flag to anybody knowing that greedy folk are going to be chomping at the bit to break this system wide open and have an all-you-can-steal buffet of passwords at their fingertips?

  2. Larry Pauls · January 16, 2012

    The gesture password system is still on its infancy and therefore still has to prove its worth. It’s too early to tell how effective, efficient, user-friendly, and practical this system is.

    Remember the ones with the biometric system? When logging in to your computer,
    instead of inputting your password you can just look right through the computer’s camera and it will scan your face. That technology has been used for more than 5 years now but it did not take off as planned. What happened to the biometric system? Obviously, it failed.

  3. Yardley Coleman · January 17, 2012

    Just a suggestion – why not require people to also use PIN just like ATMs do. Aside from inputting the password, users should also have to put a four or five digit personal identification number. In this day and age, passwords alone can’t do the job. I know it is a long shot but PINs (or some sort of it) can be an answered prayer.

  4. Tana George · January 30, 2012

    @Yardley: Any additional identification is awesome but basically PINs are easier to crack, especially when they are short, and harder to remember, especially when they are long. This is why PINs are left for devices with numeric keyboards mainly simply because an alpha-numeric password is impossible there.

Leave A Reply