Jon Almeida

BlackBerry Picture Password is more secure than you think

December 27, 2013


Warning: My opinion is quite biased since I own a BlackBerry and having interned there as well.

With the BlackBerry 10.2.1 release a new security feature called Picture Password was added. It works by lining up a chosen number with a specific (also chosen) point on a picture. This is a vague description because it isn’t as easy to explain in words as it is to show.

N4BB.com has a nice video showing how it works:

What is really neat about this is, unlike other picture or pattern password locks on other platforms, you can’t as easily figure out the password the old fashioned way - sneaking a look over the other person’s shoulder.

I’m not crazy, honest

You’re going to think I’m a bit of a whack job when I try to explain the value of this, but bare with me. Some of my points might seem unlikely, but if a sleep-deprived manic like me can figure out the security pattern on your device by simple observation, I’m sure anyone can.

Where other platforms fall short

If we look at the Android pattern method, it seems like a neat idea - create a complicated pattern from a 3x3 matrix. I’m not willing to do the math, but you can tell there are plenty enough combinations available to make it uniquely secure enough for an average user. Let’s just assume you can’t have a large matrix for now.

Where the Android device fails, is it requires you to re-create the same pattern every time at the same location on your screen. This might seem nonsensical to some, but it’s fairly easy to figure out someone’s pattern when they’ve unlocked their phone. Having a quick peek, will show the green line trace of the pattern while its being drawn out.

Alright, so you have a custom ROM which let’s you turn off the tracing so that others around you can’t see it. Another way, assuming you’ve got a hold of the person’s device by now, is by the smudge marks from the person’s finger that shows the path of the unlock pattern. In fact, I’ve even figured out a friend’s Android unlock pattern using this method just to prove this point to them.

comparison

I tried to take a picture of what I’m struggling to explain; you can see in the image on the right that there is a faint smudge of my finger from my last attempt to unlock my device. However, it’s much more evident than what you can see from the image and I’ve kept my pattern simple to make it easy to show.

If I remember correctly, Windows 8 implemented the same feature, but with a larger matrix. That’s great and all, but now the password get’s complicated and destroys the ease that initially came with it.

Windows 8 had also tried another take on this - instead of using set points to draw your personal security pattern, you get to make your own pattern across a picture of your choice. But once again, they too fall short because you’re left with the same problem. You can connect the dots, but you can potentially leave behind a fingerprint trace.

The way it should work

Enter BlackBerry’s Picture Password.

It just needs you line up a number to a set point on a picture- this doesn’t seem too trivial. Surely you can figure it out some way? The catch is, a grid of numbers is placed above the picture in a random order (with repetitions) like an overlay between two pictures. Now you have to line up your number (which is randomly placed) to that point and you don’t even have to place your finger over that number as well. You move the grid, like your scrolling on a mobile touchscreen browser.

With this method of security, you aren’t giving up your number or the selected picture point since the overlooker won’t be able to match one with the other.

I jokingly bet with another friend that I could unlock my phone in front of him a hundred times and he still wouldn’t manage to figure the combination. Some time later, I found myself repeatedly re-locking my phone and holding a zombie finger above to unlock the device while he closely looked on. I wasn’t keeping a score, but *cough* 65 tries *cough* later he gave up.

Discussion, links, and tweets

I'm a software enginer that's worked on various Android projects for a while now. If you'd like to follow me on Twitter, I don't always post about tech things.