It’s been well established that people are really bad at creating and remembering secure passwords and PINs.
We’re also bad at choosing (and answering) password recovery questions.
New research shows that the patterns people create to lock and unlock Androids, much like the passwords people choose, aren’t very complex – and might be a little too easy to guess.
A lockscreen pattern allows you to lock/unlock your device by swiping your finger on the screen – you draw a pattern that touches at least four and up to nine “nodes.”
With four-to-nine nodes, there are 389,112 possible patterns you could draw – the more nodes you touch in your pattern, the more secure your lock, because a higher number of combinations means your pattern would be much harder for a snoop or thief to guess.
Marte Løge, a recent graduate from the Norwegian University of Science and Technology, spent a year studying how people create lockscreen patterns, and her findings suggest that they aren’t a secure alternative to passcodes at all.
Løge presented her findings earlier this month at the Defcon and Passwords conferences, during a talk she titled “Tell Me Who You Are, and I Will Tell You Your Lock Pattern.”
She studied 3400 user-selected patterns and discovered that the most commonly selected patterns used only four nodes.
As Ars Technica reports, not only did most people choose the least number of nodes, the patterns they created had some predictable consistencies:
- the average number of nodes was five, with fewer than 9000 possible combinations
- people tend to start at the upper left corner – and 77% of patterns start in one of the four corners
- patterns usually move left-to-right and top-to-bottom (even among left-handed people)
- people often created patterns in the shape of a letter from the alphabet (choosing letters such as their initials)
- rarely do the patterns backtrack (e.g., going from node 2 to 3 and back to 1)
Løge told Ars that the way we create and remember patterns is similar to how we create and remember passwords – and more complex patterns are hard to remember, just like complex passwords:
It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password. You see the same type of behavior.
It’s also worth pointing out that the oils in your fingers leave visible streaks on your device screen – if you don’t use a complex pattern with backtracks, a thief wouldn’t need to guess your pattern – it’s right there for anyone to see!
Does this mean we should abandon lockscreen patterns?
Well, using a pattern to lock your Android is more advisable than using no screen lock at all.
After all, you need to turn on screen locking using PIN, password or pattern in order to encrypt your Android – and it’s a very good idea to do so.
If you decide to use a PIN or password, remember that longer is stronger.
For PINs, every extra number in your PIN makes cracking your code 10 times harder!
Google says passwords are the most secure option (if your password isn’t easy to guess).
For passwords or PINs, use as many characters as you can – Android allows you up to 16 characters, so why not use them all?
How to secure your smartphones
Keep your devices safe by following our 10 tips for securing your smartphone.
And check out our step-by-step guide to improve your privacy and security on your iPhone, Android or Windows Phone.