"The essence of Picture Password is to use one of your own personal photos as a key to the device. It’ll only work for a touchscreen device — a smartphone, tablet or touchscreen PC — since it involves tracking finger gestures on the screen.
Once you pick a photo to use, Picture Password records three gestures that you “draw” on the screen. Each gesture must be either a tap, a drawn line between two points, or a circle. Once you’ve entered them, the device will call up the photo at login, prompting you to duplicate them. If you get them all correct, in the right order AND in the right direction (for lines and circles), you have access.
Why just the three gestures instead of free-form movements, which would probably be more secure? Time. Microsoft found in its testing that people took much longer to duplicate free-from gestures than simple shapes, making the tool a chore.
It turns out that taps, circles and lines are secure enough, and Microsoft presents the math to prove it." by Dec 17