This policy setting allows you to control whether a domain user can sign in using a picture password.
The recommended state for this setting is: 'Enabled'.
Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it.
Rationale:
Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures.
Solution
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off picture password sign-in
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'CredentialProviders.admx/adml' that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Impact:
Users will not be able to set up or sign in with a picture password.
18.8.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'
Info
Solution