When people tend to pick the most obvious, lamebrain passwords for their important online accounts, it's up to tech companies and services to discourage people from their bad habits and come up with new security techniques. For Android, that's using your face to unlock a phone. Windows 8 will use picture-based unlocking, too, but not exactly in the same way. Microsoft's combining gestures and photos into picture passwords, which task you with drawing circles, lines and dots in unique configurations on a picture of your choosing.
Microsoft's goal was to create a solution faster and more secure than typing in a password. Its example solution--a Microsoft employee drawing the three objects onto a picture of his family--seems far less complex than a good alphanumeric password, but that doesn't do justice to the complexity of the picture password system.
Microsoft divides picture passwords into grids 100 segments wide and X number of segments tall, depending on the image. Each individual segment is basically a small touch coordinate on the screen. Then a picture password is comprised of a circle gesture, line gesture and tap gesture drawn onto that grid. They have to be pretty accurate. For example, this is the hot zone for a tap gesture. Out of thousands of individual touch points, only 37 locations are close enough to the original entry to be recognized as accurate.
The circle and line gestures are even more complex, since their size, angle, direction, and so on are different for every person. Microsoft's example doesn't really drive home how difficult these would be to replicate because it uses a family portrait as a template and picks fairly predictable gesture locations. One family member's head is circled, two more are connected with a line and a fourth gets a tap on the nose.
The circle and line gestures are even more complex, since their size, angle, and direction are different for every person.
With a less obvious picture, a visual password would be extremely difficult to crack. Microsoft has plenty of statistics to back up their idea, but this is a totally optional addition to Windows 8. Mouse users may prefer to stick with their typed passwords. Microsoft decided against including custom gestures because they found people making them overcomplicated and losing time during the sign-in process. Predefined gestures helped them keep the sign-in time faster than it was with a touch keyboard (if you haven't noticed, these picture passwords are geared towards tablet users).
Windows 8 will make plain' ol' text password management easier, too. The OS itself will store your web account names and corresponding passwords, and Metro apps will be able to store and retrieve passwords as well by taking advantage of a new API. By using a Live ID, you can sign into multiple trusted PCs and sync all your account details between them.
Since Windows 8 will automate the sign-in process for you, much like Internet-based password services, you can create extremely secure gibberish passwords for your online accounts and rely on Windows to remember them for you. As long as your Windows password is secure and memorable, you'll be secure letting the OS do all the sign-ins for you. Until you have to use a random public computer, anyway.