The features, which allow people to sign in with a picture-based password and four-digit PIN, cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives.

Source: Experts: Windows 8 features make account passwords easier to steal | Ars Technica