That last scenario may sound like something out of a trashy espionage thriller, but the threat of a "smudge attack" is real enough to warrant serious study. Researchers at the University of Pennsylvania coined the term in 2010 when they were able to successfully deduce gesture passwords used to unlock Android phones from smudge marks left on the screen. You can read the full study for more details, but the most important takeaway is that while gestures are faster, simpler, and more convenient to use when you're logging in to a touch-capable device, they have their own unique vulnerabilities and aren't necessarily any safer than traditional alphanumeric passwords.
We're likely to see a rash of new hacking techniques targeted specifically at touchscreen PCs, so if you're going to add a gesture password to your Windows 8 PC, make sure it's a good one.
How to create a strong picture password
Thankfully, setting up a picture password in Windows 8 is child's play. Just remember that you need to have a locally accessible image to use as the foundation of your picture password before you begin. You also need an alphanumeric password linked to your account in case of emergency, so make sure it's something strong. If the picture password feature fails for any reason, or if you simply forget the gestures you've chosen, you can use your plain-text password to log in to your system.
First, press the Win-W key combination and search for Picture Password. Under the Settings category of results, you should find an entry for Change to create picture password; launching that wizard is the first step in creating your custom picture password.
When the picture password wizard first opens, you're greeted with a big ol' page of PC Settings. Click the Create picture password button about halfway down the page. If you haven't already assigned a plain-text password to your account, you must take care of that before Windows 8 will allow you to continue.
After clicking the 'Create picture password button, you'll be asked to enter your plain-text password. Once Windows 8 verifies that you are who you say you are, you must sit through a quick animation that explains the types of gestures you can assign to your picture. In short, you can use any combination of three taps/clicks, straight-line drags, and/or circles.