How-To Geek

Should You Protect Your Windows 8 PC with a Picture Instead of a Password?


Password protecting access to Windows user accounts is now the norm, and a variety of other devices – mobiles and tablets, for example – offer other security features such as PIN protection and facial recognition unlocking. Windows 8 enables you to protect your account with a picture password; but is it a good move?

What this means is that you are able to draw shapes, tap or click points, and generally gesture in a particular pattern over an image you have chosen. It’s a feature that has really been designed with touchscreen devices in mind, but there is nothing to stop you from using it with a mouse on a standard PC.

The attraction of a picture password is obvious. To start with, it is a slightly more ‘fun’ way of gaining access to your account and for anyone who is a slower typist, it may well prove to be a faster means of logging in.

But is the feature all that it’s cracked up to be?

Enabling Picture Passwords

Bring up the Settings charm using whatever method you prefer – hitting the Windows key and I is quickest and easiest – and then click Change PC Settings at the bottom.


Click the Users link in the left hand list and then to the right click ‘Create a picture password’. Before you can continue, you will need to enter your regular password; this helps to prevent other people from causing confusion by changing settings on your behalf. It would not be possible to lock someone out of their account by setting up a picture password, as we will see.


A picture password is meant to be personal – that is the point of it, really – so click ‘Choose picture’ to select the image you would like to use.  It is a good idea to choose an image that has fairly obvious, defined shapes or lines in it rather than an abstract picture as you’ll need to be able to remember just where on the picture you need to gesture.

When you have made your selection click ‘Use this picture’ and you will be invited to configure the gestures you want to use. You are limited to using three gestures and you can choose between taps (or clicks) straight lines and circles.


You will have to remember exactly how you performed these gestures. When you draw a circle, or use a line to join up two points on a picture, it’s not enough to know where to draw, the direction also has to be correct. Having configured your three gestures, you will have to repeat them to prove that you have remembered the combination.

Now when you switch on your computer, or activate the Lock Screen, you will have to input your gesture to gain access to your account… or will you?

Limitations and Problems

In theory, using a picture password should be incredibly secure – after all, there are infinite combinations of taps, clicks lines and shapes that you can use – but this is not the reality.

The first thing to bear in mind about Picture Passwords is that they can be overridden.  Setting up a gesture-based password does not replace your regular alphanumeric password, and on the lock screen itself there is an option to switch back to the standard login option.


This is not an extra layer of security, merely an alternate means of logging in. With this in mind, picture passwords should be seen as something of an interesting curiosity and a helpful alternative login method rather than something that adds security.

There is an additional problem for touchscreen devices. Tapping and drawing gestures on screen leaves behind oils and other smears meaning that, in the right light at the right angle, it has been suggested that it might well be possible to decode your gestures.

That said, if you have a touchscreen device, you are going to be making other gestures that also leave marks behind, so  this is probably not a real cause for concern.

How do you secure your Windows 8 account? Do you stick with a regular password or do you like the idea of picture passwords? Or have you taken things further and installed a secondary authentication device such as a fingerprint reader?

Mark Wilson is a software fiend and a fan of the new, shiny and intriguing. Never afraid to get his hands dirty with some full-scale geekery, he’s always trying out the latest apps, hacks and tweaks. He can be found on Twitter and Google+.

  • Published 02/3/13

Comments (11)

  1. Craig S

    Picture. It’s faster and more convenient (with the right gestures).

    The idea of someone guessing your password from smudges is not even worth mention. A numeric pin is much more vulnerable to this.

  2. Nick

    I dont worry about my windows passwords, whether it is password,PIN or picture password,

    Why?, coz if somebody want to gain access to your windows PC they can do it in a multitude of ways (Konboot, NT Offline password cracker, SAM Password Remover or any live CD of a Linux distro will do the job)

    I rely on my FDE password (which is about 25 characters) while windows password is there to deny access to some average joe

    So as far as I”m concerned a simple password like pass789 is more than enough for me

  3. Fantasm

    Smudges? You could as easily decode a keyboard password by sprinkling something light and dusty over the keys, then looking at the clean keys… Amazingly it worked…

  4. Eirik

    I prefer facial recognition on my tablet because it is as fast as a login gets and I don’t have to move a finger. This is also just an alternative login you can override, but better than picture (imho).

  5. Paul

    I use the fingerprint scanner on my HP laptop. It too is basically an alternate rather than replacement method of authentication.

    It’s very quick and easy and has the “cool” factor too. The only problem is that as you become addicted to it and use it all the time you tend to forget your original keyboard password…!

  6. kenny

    what happens with this on desktop when you are running as user and need to input password via UAC for instance to uninstall software

  7. Neville

    I love the idea of having a picture password. I think it is a good idea, I will pass yis on to my mates. Thanks!

  8. Siosilvar

    In general: Given that people make their picture passwords using the important features of the picture chosen, they’re significantly less secure than a half-decent normal password.

    @Fantasm: I don’t know about you, but I use my keyboard significantly more than I do poking my screen. My most-worn keys are “ETAOIN SHRDLU”, and adding a password a few times a day barely impacts the frequency that my keys get used. If anything, I should consider changing my password to something with a J, a Q, and a Z so that a quick guess at “most-worn keys” is exactly wrong.

  9. Sunandajit Ray

    I use picture password, but do not use touch screen, rather I tap using the touch pad/mouse. This does not leave a trail on the screen and makes it tough to guess the code.

  10. herp

    The psychology of a picture lock basically inscribes part of the password right on the screen, by necessity, unless you outright ignore the image from the get-go. Which as I scroll up I see Siosilvar basically mentioned.

  11. weaselspleen

    Umm, not to be a party pooper, but analyzing screen smudges as a way to crack this kind of security was proven feasible three years ago, so yeah, it totally is a realistic risk. And being more secure than a 4 digit pin is technically incorrect. You can’t compare a PIN on a bank account with a touch password on a handheld device. Too many incorrect guesses of your PIN will lock your account. Someone with hands-on access to your device can take their time. And if you enable the option some devices have of automatically wiping devices after too many failures, you’re vulnerable to denial-of-service by people deliberately guessing incorrectly just to screw with you.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!