
Suppose the actual number is at grid position [x,y] (and I mean the number grid, not the picture location, which is irrelevant in this attack). I can choose any number I want to look at, say "8" which is at some other grid position [j,k]. I have no idea what [x,y] or [j,k] are, but that actually does not matter. Once I have picked my number "8" at grid [j,k], then all I need to know is that the number at [x,y] can only be one of 10 possibilities (0...9). Therefore, IF (and that can be a big assumption), I know which grid size is used, every random shuffle of the number grid has a 1/10 = 10% possibility of having your special number at grid [x,y]. For 5 tries, that means you have 50% chance of hitting the right number. Those are pretty good odds.
As someone pointed out, you may not need to be that observant if there are only 2 grid sizes (either sparse or dense) used on the Z10 or Z30. If that's the case, it would be really easy for someone who knows how the BB10 picture password system works to have a go at unlocking the phone.
That's why allowing ANY character can boost up the security significantly, you can go from 10% to 1/36 if you include alphanumeric and if you include punctuation and other symbols it can go up from there. The easiest fix is simply to have random number placement, not even a regular grid. Well, actually allowing alphanumerics is pretty easy too but it doesn't buy you as much as a random number placement.
The standard BB10 password lock should actually work quite well since it can be (almost) arbitrary length of characters and with BB10, the press & hold entry method for upper case is an additional obfuscation to what character you are actually entering021317 07:39 PMLike 0 
Posted via CB App for Android on Tab4 (interim Playbook replacement)021317 07:50 PMLike 0  Actually they kind of have.
There were some links posted above.
They even used the words shoulder surfing. Admittedly I don't think they ever said it was perfect, opting for words like "hard" instead, but given how small a change it would take to make it way harder, I think they should have done it.Shoulder surfing. With no set points to track, only a number and a location that can be obtained from anywhere on the screen, prying eyes will find it very hard to figure out how I access my phone.
LeapSTR1002/10.3.3.2205021317 07:58 PMLike 0  You may be referring to this:
And this is true. If I watch someone type a password on a keyboard it is a direct process of noting what keys are pressed and in what order. Picture Password is more difficult (I wouldn't use the adjective very) as evidenced by the original post, and that Kevin thought it would be hard for people to guess his Picture Password from a video. You can call it a vulnerability if you want, but it is by no means one that is limited to Picture Password over other password entry methods, and it does provide protection that other methods don't, and is resistant to other more usable methods of determining passwords such as the paper that I also linked. These are all properties that would tend to cause security researchers to not call it a vulnerability unless they were trying to excite people.
LeapSTR1002/10.3.3.2205
I also don't share the outrage that some seem to feel at the admittedly rather dramatic title.
The fact is it is more vulnerable to shoulder surfing that many people (myself included) had believed. This may not be enough to justify a security label of Vulnerable, but it's also not a completely incorrect usage of the word.
I'll also point out that when described in a blog post in 2014 they said:
"Shoulder Surf Attack – When using a simple password, someone could look over your shoulder while you enter it. Picture Password prevents this situation from occurring by drawing a random number grid and varying the size of the grid. For example, in addition to a random number grid, the grid size also randomly changes increasing and decreasing the amount of rows and columns to reduce the shoulder attack vulnerability."
Notice the word prevents? That's sufficient that I would expect better than 50% odds even against someone with great memory.
They also refer to the shoulder attack as a vulnerability .
If I remember Kevin's contest correctly it wasn't actually a valid test of the system. I think you had to figure out the specific number and location (both things you never actually figure out using this attack method).021317 08:23 PMLike 0  As far as I can tell it is reused, but on my Z10, the column varies from 5 to 8, I haven't checked the row count but this would give at least 4 different grid sizes an attacker would have to note.021317 09:22 PMLike 0

They don't need to keep track of how many options there are. They'll be ignoring all the nonmatching ones anyways.021317 09:41 PMLike 0  The spacing is reused since it only consists of whole rows and columns, and seems to be selected from a relatively small range, between 6 and 8 columns on my Leap. I have not been able to determine any procedure for selection so it is probably random, but proving that would take more time than I'm will to invest.
The bottom line is that if you allow someone to watch you enter your secret credentials, regardless of the method of entry, you are reducing the strength of that protection. This can only be a vulnerability if BlackBerry claims that Picture Password is robust against shoulder surfing. To my knowledge they have never made that claim. This is why there are "protect your PIN" on bank machines etc.
So far however Picture Password is robust against spatiotemporal dynamics, which is enough for me.
LeapSTR1002/10.3.3.2205FF22 likes this.021317 09:48 PMLike 1  Becase it is when you only use the 10 possible digits. The slightly technical explanation:
Suppose the actual number is at grid position [x,y] (and I mean the number grid, not the picture location, which is irrelevant in this attack). I can choose any number I want to look at, say "8" which is at some other grid position [j,k]. I have no idea what [x,y] or [j,k] are, but that actually does not matter. Once I have picked my number "8" at grid [j,k], then all I need to know is that the number at [x,y] can only be one of 10 possibilities (0...9). Therefore, IF (and that can be a big assumption), I know which grid size is used, every random shuffle of the number grid has a 1/10 = 10% possibility of having your special number at grid [x,y]. For 5 tries, that means you have 50% chance of hitting the right number. Those are pretty good odds.
As someone pointed out, you may not need to be that observant if there are only 2 grid sizes (either sparse or dense) used on the Z10 or Z30. If that's the case, it would be really easy for someone who knows how the BB10 picture password system works to have a go at unlocking the phone.
That's why allowing ANY character can boost up the security significantly, you can go from 10% to 1/36 if you include alphanumeric and if you include punctuation and other symbols it can go up from there. The easiest fix is simply to have random number placement, not even a regular grid. Well, actually allowing alphanumerics is pretty easy too but it doesn't buy you as much as a random number placement.
The standard BB10 password lock should actually work quite well since it can be (almost) arbitrary length of characters and with BB10, the press & hold entry method for upper case is an additional obfuscation to what character you are actually entering021417 03:39 AMLike 0 


 If I remember Kevin's contest correctly it wasn't actually a valid test of the system. I think you had to figure out the specific number and location (both things you never actually figure out using this attack method).
If there are people using picture password who believe that it removes all risks of letting someone watch while they unlock their phone then this thread serves a good service of informing them that is not the case. But like any IT security issue, if you over hype it a lot of people will just give up because they feel that being secure is too hard. I see that all the time. That's why I recommend using as long and as complex device password as you can remember, set the lock timer as short as you can live with, but use picture passport (or swipe on or whatever) to unlock the phone. Then when you suspect someone is shoulder surfing or trying to exhaust over all possible number location combinations you can immediately go somewhere private and change your picture password. You don't have to change your good password because it wasn't compromised. A new picture password is easy to remember, a new good password isn't.
LeapSTR1002/10.3.3.2205021417 07:35 AMLike 0 
 I have to be honest, this seems like a stretch. I would be shocked if someone could unlock my phone using the Picture Password.
Just another comment, I feel as though the picture password is greatly underappreciated This way to unlock the phone is amazingly simple but extremely effective.021417 10:03 AMLike 0  So there has been some discussion of the odds here and there without looking at the actual math. So lets make some reasonable assumptions as see where that leads us.
First assumption. Varying grid pitch could delay an attacker, but if the attacker does not make any guesses at the pitch sizes not observed they don't count against the allowed incorrect guess count. So we must assume that the attacker has enough time to continuously reject bad pitch attempts. (This suggests a change to Picture Password that would improve its resistance but result in less convenience. Always a trade off with security features.)
Second assumption, the attacker is not concerned with leaving the phone at the point of "Enter BlackBerry to continue" after using five attempts.
As other people have stated, once the variable pitch size is eliminated the problem one of the relationship of the correct number with respect to the attacker's chosen number. Or what is the probability that the randomly selected number X columns left or right and Y rows up or down (where the values of X, Y, left or right and up or down are unknown but finite) is the number chosen by the user. Assuming the grid is truly randomly populated the the odds are 1 in 10. So what are the odds that the attacker will break into the phone in the five tries available? This is actually very similar to the problem posed here.
As with dice the math is greatly simplified if we consider the odds of the correct number not being in the correct spot each time, similar to considering the odds of not rolling a six on each dice. The odds of the number being wrong are 9 in 10. So the odds of the attack failing purely due to chance in five attempts are 9/10 x 9/10 x 9/10 x 9/10 x 9/10 = 59,049/10,000 or 59%. The odds of the attacker succeeding are 40,951/100,000 or 41%.
So in order to determine if Picture Password is more or less vulnerable to shoulder serfing than other methods we must decide if an attacker who can pick a number and location and identify the correct pitch size with suffecient accuracy is able to read your PIN, password, swipe pattern etc under the same conditions at more or less than 41% probability.Fret Madden and 1122334455667788 like this.021417 11:06 AMLike 2  That is correct, you only get 5 tries with picture password. This is an important aspect of the security built into it because it could be a kid playing with the phone or pocket entries and you don't want to cause an accidental security wipe if you allow it to continue. After the 5th try, you need to type in "blackberry" before you can try the normal password. The chances of an accidental or pocket entry of "blackberry" is very, very slim. Efats or someone else in this thread can calculate that probability, and if it is >1%, I would be shocked!!Fret Madden likes this.021417 11:13 AMLike 1
 That is correct, you only get 5 tries with picture password. This is an important aspect of the security built into it because it could be a kid playing with the phone or pocket entries and you don't want to cause an accidental security wipe if you allow it to continue. After the 5th try, you need to type in "blackberry" before you can try the normal password. The chances of an accidental or pocket entry of "blackberry" is very, very slim. Efats or someone else in this thread can calculate that probability, and if it is >1%, I would be shocked!!021417 11:30 AMLike 0
 So there has been some discussion of the odds here and there without looking at the actual math. So lets make some reasonable assumptions as see where that leads us.
First assumption. Varying grid pitch could delay an attacker, but if the attacker does not make any guesses at the pitch sizes not observed they don't count against the allowed incorrect guess count. So we must assume that the attacker has enough time to continuously reject bad pitch attempts. (This suggests a change to Picture Password that would improve its resistance but result in less convenience. Always a trade off with security features.)
Second assumption, the attacker is not concerned with leaving the phone at the point of "Enter BlackBerry to continue" after using five attempts.
As other people have stated, once the variable pitch size is eliminated the problem one of the relationship of the correct number with respect to the attacker's chosen number. Or what is the probability that the randomly selected number X columns left or right and Y rows up or down (where the values of X, Y, left or right and up or down are unknown but finite) is the number chosen by the user. Assuming the grid is truly randomly populated the the odds are 1 in 10. So what are the odds that the attacker will break into the phone in the five tries available? This is actually very similar to the problem posed here.
As with dice the math is greatly simplified if we consider the odds of the correct number not being in the correct spot each time, similar to considering the odds of not rolling a six on each dice. The odds of the number being wrong are 9 in 10. So the odds of the attack failing purely due to chance in five attempts are 9/10 x 9/10 x 9/10 x 9/10 x 9/10 = 59,049/10,000 or 59%. The odds of the attacker succeeding are 40,951/100,000 or 41%.
So in order to determine if Picture Password is more or less vulnerable to shoulder serfing than other methods we must decide if an attacker who can pick a number and location and identify the correct pitch size with suffecient accuracy is able to read your PIN, password, swipe pattern etc under the same conditions at more or less than 41% probability.021417 11:35 AMLike 0  As with dice the math is greatly simplified if we consider the odds of the correct number not being in the correct spot each time, similar to considering the odds of not rolling a six on each dice. The odds of the number being wrong are 9 in 10. So the odds of the attack failing purely due to chance in five attempts are 9/10 x 9/10 x 9/10 x 9/10 x 9/10 = 59,049/10,000 or 59%. The odds of the attacker succeeding are 40,951/100,000 or 41%.
I kind of thought I was missing something with the math.021417 11:36 AMLike 0 
The point is that although you don't know the correct number, you can know a correct grid alignment021417 11:39 AMLike 0 


 Forum
 BlackBerry 10 Phones & OS
 BlackBerry 10 OS
Picture Password vulnerability
Similar Threads

Does the DTEK50 have picture password?
By oberkfell in forum BlackBerry DTEK50Replies: 15Last Post: 040417, 06:19 PM 
Unable to Upload Pictures to my PC and Facebook
By OneMoreQuestion in forum BlackBerry PrivReplies: 8Last Post: 021217, 12:33 PM 
How to export Password Keeper data from Priv back to BB10
By GEO1ER in forum Ask a QuestionReplies: 2Last Post: 021217, 07:29 AM 
How to turn off camera noise while taking a picture?
By cb_arjun_cb in forum Ask a QuestionReplies: 1Last Post: 020917, 12:49 AM 
Exporting Password Keeper records
By Powdah in forum Ask a QuestionReplies: 3Last Post: 020817, 08:08 PM
LINK TO POST COPIED TO CLIPBOARD