Tell Me Who You Are, and I Will Tell You Your Lock Pattern

You are predictable, your passwords are predictable, and so are your PINs. This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create?

Pattern unlock is one of the entry protection mechanisms in Android system for unlocking the screen. It was introduced by Google in 2008. By connecting 4–9 dots in a 3 x 3 grid, the user can set up an unlock pattern which is equivalent to a password or a PIN. As an alternative to the traditional password/PIN, the visual pattern has gained its popularity because of the potential advantages in memorability and convenience of input. However, the limited pattern space and existing attacks such as shoulder surfing, or smudge attack make this mechanism weak in security.

A recent study by Marte Loge, as part of her MSc thesis, presents the results from a set of 3400 users and their selected lock patterns.

"Humans are predictable, we're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords."

Lock patterns, for Android, can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.

Loge asked subjects to create three ALPs, one for an imaginary shopping app, a second for an imaginary banking app, and the last to unlock a smartphone. Sadly, the minimum four-node pattern was the most widely created one by both male and female subjects, followed by five-node ALPs. For reasons Loge still can't explain, eight-node patterns were the least popular, attracting significantly fewer subjects than nine-node choices, even though both offered the same number of possible combinations.

The minimal use of eight-node patterns, by both males and females, was a surprise. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.

Males were much more likely than females to choose long and complex patterns, with young males scoring the highest. The slide below illustrates the overall breakdown between men's and women's choices differently.

Loge said the number of nodes isn't the only thing that determines how susceptible an ALP is to guessing attacks. The specific sequence of nodes is also key in how complex a pattern is. Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction.

A team of researchers formalized this scoring system in a 2014 paper titled Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. They analyzed the characteristics of all valid patterns and proposed a way to quantitatively evaluate their strengths. They also designed two types of pattern strength meters as visual indicators of pattern strength.

Data breaches over the years have repeatedly shown some of the most common passwords are "1234567", "password", and "letmein". Loge said many ALPs suffer a similar form of weakness. More than 10% of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

Loge had several suggestions for ways to make lock patterns more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.

Full disk encryption won't save you if your lock pattern is L - as in "loser"