How Predictable is Your Android Lock Pattern?

In this modern age of smartphones, mobile banking, security apps, PayPal, Electronic Wallets, websites and even Starbucks, we are inundated with passwords. In the old days, before wireless mobile really got its start, a password was easy to pick – 1-2-3-4-5 or 5-4-3-2-1 and you were done. When you create a password today, it must contain a Capital letter, a symbol and a number – it has almost gotten to the point that they look like a swear word…#5S7abt$! Now we have lock patterns for getting into our Android devices, called Android Lock Patterns, or ALPs, for short that take the place of our passwords.

Introduced by Google in 2008 when it launched its Android Operating System. There are no set guidelines for APLs, which begs the question, exactly how safe are the lock patterns we are using? Are we as lazy with picking our APLs as we are with our passwords? Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, decide to take a look at APLs and analyzed almost 4,000 patterns as part of her Master's Thesis and she discovered some interesting 'patterns' or tendencies that humans follow.

The most common passwords are “1234567,” “password” and “letmein.” Løge claims that APLs suffer from the same problem – predictability. The patterns listed above are the most common APLs that people use, and that coupled with known tendencies make it easy for a hacker to figure out your lock pattern. More than 10-percent fashion their APL as an alphabetic letter, and to make matters worse it is generally one of their initials or one of their children's. Her study shows that 44-percent started in the top left-most node on the screen, and what is really odd is being right or left handed did not make a difference. 77-percent of the APLs start in one of the four corners and the average number of nodes was only 5 and a significant number only used four – which means a pool of only 1,624 combinations. Most patterns move from left to right and top to bottom, making guessing that much easier. Løge told our source last week at the PasswordsCon conference in Las Vegas, where she presented a talk titled Tell Me Who You Are, and I Will Tell You Your Lock Pattern. “Humans are predictable. We're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords.”

An ALP can have as few as four nodes and as many as nine nodes and the chart below will show you the number of combinations you can derive from the number of nodes you select. Part of the study had the participants make up three different ALPs – one for a shopping app, a banking app and one to unlock a smartphone. Men were more likely to choose a long and complex pattern with young males topping the list…see the charts below. Løge's advice is to keep you ALP complex – by not only using more nodes but keep the pattern or sequence unusual…see the chart below. Make sure that you incorporate a crossover pattern as it makes it more difficult for even an observer to figure out which way you went. For real security, turn off the “make pattern visible” option so nobody can see what you are doing.