New research shows that the tic-tac-toe style patterns people devise to unlock their phones often follow dismally predictable rules, equally as bad as your passwords.
Android Lock Patterns (ALPs) can contain a minimum of four nodes and a maximum of nine, for a total of nearly 400,000 possible combinations. That’s a lot of potential passwords! But when Martle Loge of the Norwegian University of Science and Technology analyzed over 4,000 ALPs for her master’s thesis, what she found was a pretty sorry state of affairs.
A full 44% of ALPs started in the top left-most node of the screen, while 77% started in one of the four corners. Very often, patterns moved from left to right and top to bottom. And a large percentage of the patterns had only four nodes, dramatically shrinking the pool of available combinations.
People tended to stay away from patterns that involved changes in direction, which tend to be less susceptible to guessing attacks. The two patterns on the right of the image below, for instance, produce a higher “complexity score” than the patterns on the left:
Time and again, data breaches show us that people love to use ridiculously bad passwords, a la “1234567” and “letmein.” But switching to ALPs doesn’t seem to make our bad habits go away. A full 10% of the passwords in Loge’s study took after an alphabetic letter, often one that corresponded to the initial of a spouse or child.
What can you do to make your phone less crackable? Simple. Stop drawing letters. Turn off the “make pattern visible” option in your Android settings. Use crossovers. Use more than four nodes – they’re giving you nine.