A researcher shows that people rely on weak Android lock patterns just as they do weak.
When Google launched Android in 2008, it also introduced lock patterns — a way to unlock Android devices by tracing a pattern on the screen rather than using a traditional password or PIN. A new study suggests people aren’t very creative when it comes to forging hard-to-guess patterns.
By now we all know that using “password” or “123456” as your password is about as dumb and lazy as it gets. Those are easily guessed and are hardly a speed bump to hackers. Pattern locks have the potential to be very secure, but people are lazy with patterns, too.
Marte Løge, a graduate of the Norwegian University of Science and Technology, analyzed nearly 4,000 Android lock patterns and found incredible similarities throughout. “Humans are predictable,” Løge told Ars Technica. “We’re seeing the same aspects used when creating a pattern lock [as used in] PIN codes and alphanumeric passwords.”
Though users have to use a minimum of four nodes, they can use up to all nine if they wish. Løge says the average number of nodes used is five, which allows for slightly under 9,000 total pattern combinations. Using only four nodes limits the total number of patterns to 1,624. The total number of all possible patterns reaches 389,112 when a combination of four through nine nodes are used.
Løge’s test subjects mostly chose to use only four nodes. Though the number of nodes used limits the total number of combinations, so too does the pattern complexity. For example, patterns that change direction can dramatically increase the level of complexity.
The data reveals that 44% of all patterns start in the top-left node and a whopping 77% start in one of the four corners. Most patterns start in the top left and move to bottom right.
Worse, a significant number of patterns correspond to a letter in the alphabet, which often matched the first letter of the name of the pattern-creator or that person’s spouse or child. This leads to a 1-in-10 chance of attackers guessing the pattern in no more than 100 guesses, according to Ars.
The odds go down if the attacker knows the target or the names of those close to the target.
“It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password,” said Løge. “You see the same type of behavior.”
Want to improve the security of your Android smartphone? Use more nodes, said Løge.
Incorporating cross-overs (passing over the same node twice) makes it harder for shoulder surfers to figure out the pattern, too. Android users can also turn off the “make pattern visible” option, which turns off the lines that appear between nodes as they are connected by the user.
Enterprise IT should be requiring Android device users to have a higher number of nodes in their patterns. The safest bet, according to Løge’s data, is eight nodes.
Eric Zeman “Android Lock Patterns Laughably Easy To Guess” 8/24/2015