But not just ordinary alphanumeric passwords. The dev team talks about what they hope to be the future of Windows 8 security – picture passwords.

First off, they begin with the premise that creating a solid alphanumeric password is important, but all of the “capitalize one letter” and “include at least two punctuation marks” types of requirements has made the process unnecessarily cumbersome – especially when trying to enter them on smartphones. Even the PIN system of 4 or so numbers (like you see on the iPhone) is tricky for two reason: On one hand, you want something that’s easy to remember, but common passwords like 1234 and 9999 are the most easily guessed. So you might want to pick a sequence that means something to you. like your birthday – but then that can be broken if someone has even the slightest bit of info about you.

Their solution is the picture password, and it’s pretty simple.

It basically works on four variables. Type of gesture, location of gesture, direction of gesture and order or gesture.

When a user sets up a picture password, they pick their own picture from their library. It could be a photo of the user and their dog, or a family photo from last Thanksgiving. The point is that’s is specific and personal to the user. They are then given a grid to set up their gestures.

There are three types of gestures: a single point, a circle, and a line. The password is a set of these three gestures. On that hypothetical picture my dog and me, I could for instance draw a circle around the dog’s head, and line from his paw to my face, and a dot on my right knee. Here’s how it looks on one of Microsoft’s text photos:

When the system is judging your swipes to see if you are allowed entry, it takes into account not only the location of your swipes (as in did I draw the line from the paw to the face), but the direction of those gestures and the order in which I perform the three gestures. So, where I begin my circle gesture around the head or which direction I draw the line matters.

According to Microsoft’s test, people were able to complete the gestures in less than 4 seconds. And the combination of gestures is far wider than that or a PIN. In fact, a three-gesture picture password (1,155,509,083) provides about the same “security promise” (measured in possible combinations) as a 5-6 character password.

And what about smudges? They remind us that since the direction of gestures and order or gestures matter, smudges giving your password away shouldn’t be a huge concern:

We’ve also taken some practical considerations to protect you if you use Picture Password. People are often concerned with the smudges left behind on a touch screen and how easy or hard it would be to divine your password based on those markings. Because the order of gestures, their direction and location all matter, it makes the prospect of guessing the correct gesture set based on smudging very difficult even in the completely clean screen case, let alone on a screen that sees regular touch use.

Not quite as awesome as that virtual reality HoloDesk thing – but nicely played, Microsoft.

What do you think? Would you like to draw on a family photo in order to unlock your device? Let us know in the comments.

Rolando S. used the female victim’s email password (which he had obtained via unsolicited text message) to gain access to her Facebook account. Once inside, he trolled around for a while, posting lewd messages on people’s walls and changing her profile information to include some pretty unsavory hobbies.

The official court document provides the NSFW specifics in a footnote –

Appellant posted, as the victim, on a male classmate’s wall: “I want to stick your dick in my mouth and then in my pussy and fuck me really hard and cum on my face.” On another male classmate’s wall he posted: “When we were dating we should have had sex. I always thought you had a cute dick, maybe we can have sex sometime.” On the victim’s profile description, appellant posted: “Hey, Face Bookers, [sic] I’m [S.], a junior in high school and college, 17 years young, I want to be a pediatrician but I’m not sure where I want to go to college yet. I have high standards for myself and plan to meet them all. I love to suck dick.”

Rolando’s crime was in violating a California statute (Section 530.5) – “willfully obtaining personal identifying information and using it for an unlawful purpose.” He was found guilty and sentenced to 90 days to a year in Juvi lockup and then probation.

His appeal claimed that his actions failed to satisfy the criteria on either account – “willfully obtaining” the information or “unlawful purposes.”

First, the appellate court declared that Rolando had “willfully obtained the victim’s password.” To the court, “willfully” means “intentionally.” And although the defendant received the email password through an unsolicited text message, his actions following that constituted intent.

By remembering the email password from the text message, Rolando satisfies the “willful” criteria. Furthermore, the court said that Rolando used the way in which Facebook allows users to reset their passwords via email conformation to gain access to the victim’s Facebook account –

The record makes no indication appellant received the victim’s Facebook
account password in another manner. It is reasonable to infer he used this process of
resetting the password through the victim’s email account to gain access to the victim’s
Facebook account. Not only did appellant willfully obtain the email password from the
text message, he also willfully obtained the Facebook account password by purposely
using the email account as a vehicle to alter the Facebook account password.

As far as the “unlawful purpose” part of the appeal, the court ruled that the messages posted were, in fact, unlawful. In the original hearing, the victim testified about the impact of the fake messages (via Ars Technica) –

“I used to love going to school,” she said. “Now, I dread dealing with this every day.”

Although the appellate court said that the lewd messages don’t constitute a violation of the criminal law of “annoying or molesting a child,” they do constitute libel – and that’s good enough.

However, we hold that intentional civil torts, such as libel, constitute an “unlawful purpose” for purposes of section 530.5(a), and affirm the judgment.

Moral of the story: Watch what you say when you are messing with people’s Facebook accounts. Or better yet, just don’t mess with people’s Facebook accounts. The whole thing is so 2005, anyways.

However, the specifics of this ruling make me wonder; how little effort would you have to put into accessing someone’s Facebook account for it to not be considered “willfully obtaining.” What if you happened upon (unsolicited, of course) someone’s actual Facebook password, instead of their email password. No trickery there – just typing it into the login screen. Is that willfully obtaining?

What if some idiot at the Apple store leaves his Facebook logged in?

The fact that the judge determined that saying someone “likes to suck dicks” on their “about me” section on Facebook is libelous is quite interesting to me. It suggests that our social media identities are more than just extensions of our real identities, but they have in fact become a mirror of our real identities.

Broadcasting a false, defamatory status via Facebook is the same as publishing it in a newspaper. Neat.

Check out the whole appellate decision below:

In Re Rolando S., F061153 (CA. Ct. App. July 21, 2011)

But if your reason was mainly security, wouldn’t you want to create a 4-digit PIN that wasn’t unbearably easy to guess? Apparently not, according to data posted on app developer Daniel Amitay’s blog today.

One of Amitay’s iOS apps is called “Big Brother Camera Security” Basically, the application will snap a picture of whoever is trying to use your phone without your consent. If they get the code wrong, snap! You have a picture of who was trying to access your device. You can also set it to sound an alarm.

Based on the passcodes of the over 200,000 subscribers to the app, we get some information on the most common passcodes. And unsurprisingly, people fail to secure their phones with any code that would actually secure their phones.

For an app whose sole purpose is security, the top password is 1234. The second most common passcode was 0000. And the bronze goes to 2580, which as you probably know is simply a straight line down the middle of the keypad.

Here’s a graph of the top 10 most common passcodes. It looks as though 1,425 people thought that 5683, which spells “Love,” was a good choice.

Apparently, people also love to use years as their passcodes. Whether they coincide with dates of birth, graduations, or anniversaries, 1990-2000 were in the top 50 most used passcodes and 1980-1989 were all in the top 100. One is the most common digit for the first spot in the code, while zero is the most common in the last spot.

So, guys, you’ve gotta step up your password game. I know you don’t want to make them so complicated that you forget them yourselves, but there is a happy medium between digits with no significance and 1111. And with these statistics in hand it is very likely that I could break into your phone with minimal effort.

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock–even more if the intruder knows the users’ years of birth, relationship status, etc.

So next time you want to check out your boyfriend/girlfriend’s texts from last night, try a couple of these simple combinations. There’s a really good chance that one of them will work.

Through independent tests, Nyleveia reported that a new breach was allowing hackers the ability to change user passwords simply by using the email associated with the accounts as well as the date of birth of the user. These bits of information were reportedly obtained by the original hackers during the April attack that shut down the PSN for almost a whole month.

The poster on Nyleveia’s assertion was as such:

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

Eurogamer among others confirmed this assertion.

Sony has just now posted a statement on its official blog denying that any new hack has occurred:

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

This, if true, would be a huge sigh of relief for PS3 owners who have been put through the ringer when it comes to personal security throughout all of this. It doesn’t look like any of this has affected online play, simply the websites that users have been accessing to change their passwords.

"The bad guys have more than just access to users’ email accounts," says the spokesperson. "They have access to a host of other online services the victims use."

Paul Wood, MessageLabs Intelligence Senior Analyst says, "A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public Instant Messaging (IM) network. If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID."

If a cybercriminal had the email account information and wanted to take over a related social networking account, all they would have to do is try the password reminder links from the login pages. Then they could use the victim’s email to spam, but they could also gain access to other personal information, not to mention use your account to spam social networks as well.

MessageLabs says it has tracked a number of phishing attacks using Instant Messaging, where bad guys would collect real IM user account info and passwords, only to use them to send spam to everyone on the person’s buddy list. This is another possible result. "An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password," the spokesperson says. "For public IM networks, the user name is often the same as the web-based email account."

In other phishing-related news, the FBI has charged nearly 100 people in the United States and Egypt as part of Operation Phish Phry," one of the largest cyber fraud phishing investigations ever. WebProNews has more details on that here.

Thousands of users saw their friends appear post the message, “I just got over 1000 followers today from http://twittercut.com.”  Those who thought it advantageous to gain 1000 followers in one day were then lured to TwitterCut’s site, which looked remarkably similar to the Twitter login portal. Baited users would then enter login details at the TwitterCut site. Like many of the recent Facebook scams, TwitterCut would then use this information to send out the same message through the user who entered their information, allowing the worm to spread rapidly.

It does not appear that TwitterCut has used the retrieved logins for any other purposes yet, but those who may have given information should act quickly to change their passwords. Additionally, Twitter announced on Tuesday night that they were working to push password resets for infiltrated accounts. 

All told, this phishing scam serves as a reminder to social network users to be extremely cautious when entering usernames and passwords, double checking to reinsure that the site truly is what it claims to be.

It appears that today a new phisher has appeared on the scene. Some are tweeting to beware of SuMagik, or the site sumagic.info, which also requests an individual’s Twitter Name and Twitter Password. No info is given as to why this is requested, but the site does state, “We do not store twitter passwords, as we have no interest in your twitter account, and we hate scamming cheats too!” Sound a little phishy to me!

Should events like these already be in your past, resetting your password is the recommended next step.

And here’s why this is important: the Twitter accounts belonging to Barack Obama, Britney Spears, Facebook, Fox News, and Stephen Fry were all hijacked in the last day or so, and it stands to reason that many lower-profile accounts suffered the same fate.

Realizing that security is becoming more of a concern among Twitter users, Matthew Daines, the lead developer of Twellow has posted some assurance of safety for use of that service.

If you are unfamiliar with Twellow, think about it as a yellow-pages service for finding people on Twitter.  You can search for things or browse the directory to find people who tweet about the topics you are interested in.

"Twellow does not store your Twitter password at all in our database," explains Daines. "We only use it to send a simple HTTPS request (that means it’s a secure connection) to the Twitter servers to see if you are actually the owner of your Twitter screen name. This is the approved method for verifying Twitter credentials according to the documentation on Twitter’s API site. Upon verification of your Twitter account, the password is discarded by our system."

So in case you are skeptical of Twitter-related services (and I wouldn’t blame you) you can rest assured that you’re safe with Twellow. But as Matthew implies, it always helps to stay on top of current security issues and stay informed.

"It is ultimately up to you to choose which entities are worthy of your trust. Educate yourself to security risks versus the benefits of interacting in free society. Use that amazing mind which you are blessed with to study and think things out for yourself."