Android Lock Patterns Laughably Easy To Guess - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
12:05 PM
Eric Zeman
Eric Zeman

Android Lock Patterns Laughably Easy To Guess

A researcher shows that people rely on weak Android lock patterns just as they do weak passwords.

10 Annoyingly Addictive iPhone, Android Apps
10 Annoyingly Addictive iPhone, Android Apps
(Click image for larger view and slideshow.)

When Google launched Android in 2008, it also introduced lock patterns -- a way to unlock Android devices by tracing a pattern on the screen rather than using a traditional password or PIN. A new study suggests people aren't very creative when it comes to forging hard-to-guess patterns.

By now we all know that using "password" or "123456" as your password is about as dumb and lazy as it gets. Those are easily guessed and are hardly a speed bump to hackers. Pattern locks have the potential to be very secure, but people are lazy with patterns, too.

Marte Løge, a graduate of the Norwegian University of Science and Technology, analyzed nearly 4,000 Android lock patterns and found incredible similarities throughout. "Humans are predictable," Løge told Ars Technica. "We're seeing the same aspects used when creating a pattern lock [as used in] PIN codes and alphanumeric passwords."

Android lock patterns require users to connect at least four of nine nodes, which are arranged in a three-by-three grid.

(Image: Goldy/iStockphoto)

(Image: Goldy/iStockphoto)

Though users have to use a minimum of four nodes, they can use up to all nine if they wish. Løge says the average number of nodes used is five, which allows for slightly under 9,000 total pattern combinations. Using only four nodes limits the total number of patterns to 1,624. The total number of all possible patterns reaches 389,112 when a combination of four through nine nodes are used.

Løge's test subjects mostly chose to use only four nodes. Though the number of nodes used limits the total number of combinations, so too does the pattern complexity. For example, patterns that change direction can dramatically increase the level of complexity.

The data reveals that 44% of all patterns start in the top-left node and a whopping 77% start in one of the four corners. Most patterns start in the top left and move to bottom right.

Worse, a significant number of patterns correspond to a letter in the alphabet, which often matched the first letter of the name of the pattern-creator or that person's spouse or child. This leads to a 1-in-10 chance of attackers guessing the pattern in no more than 100 guesses, according to Ars.

[Read more about Android security. ]

The odds go down if the attacker knows the target or the names of those close to the target.

"It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password," said Løge. "You see the same type of behavior."

Want to improve the security of your Android smartphone? Use more nodes, said Løge.

Incorporating cross-overs (passing over the same node twice) makes it harder for shoulder surfers to figure out the pattern, too. Android users can also turn off the "make pattern visible" option, which turns off the lines that appear between nodes as they are connected by the user.

Enterprise IT should be requiring Android device users to have a higher number of nodes in their patterns. The safest bet, according to Løge's data, is eight nodes.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/31/2015 | 10:19:37 AM
Re: Android Lock Patterns Laughably Easy To Guess
From the first time I saw my friends using lock patterns to protect their phones, I wondered about them. Many studies have shown that 'safe' password rules like always using at least one capital letter and a number, or not using real words, are actually worthless. 'ilikecats' and 'AsD78edD5' are equally vulnerable to a brute force attack or a phisher, and they're up against that much more often than they're up against someone who knows you like cats. In that sense, All lock patterns are equally vulnerable to a brute-force attack... but is that really something they'll be up against? It still stops someone from grabbing your phone and looking at your stuff *without* stealing it. The deterrent effect counts for a lot.
User Rank: Ninja
8/27/2015 | 2:22:29 PM
I don't even bother with a lock pattern right now. But for those that do I suppose it comes down to what you are protecting your phone from. It's it's protecting it so your kids don't call Ottowa or Paris or order a whole slew of apps featuring Olaf a four node is probably just fine. If you carry company data or do your banking from your phone you might want a more secure passcode.

If you are part of a company you may want to make sure they have regulations and training to make sure employees understand how to make better passcodes to protect company data.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
How to Eliminate Disruptive Technology's Risk
Andrew Froehlich, President & Lead Network Architect, West Gate Networks,  8/31/2020
How Analytics Helped Accenture's Pandemic Plans
Jessica Davis, Senior Editor, Enterprise Apps,  9/1/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll