Android in user-chosen lockscreen patterns are grimly predictable SHOCKER

People choose predictable Android lock screen patterns just like they pick predictable passwords.

Research by Marte Løge, a recent graduate from the Norwegian University of Science and Technology, confirmed that the problems people have in setting up secure passwords and PINs are replicated in the field of Android lockscreen patterns.

People gravitate towards simple patterns that are easy to guess.

Unlocking patterns prompt users to draw an array which touches between four and nine "nodes". This creates up to 389,112 potential patterns.

But Løge's study of 3,400 user-selected patterns revealed that the most commonly selected patterns used only four nodes. The average was five nodes, greatly reducing the number of possible combinations.

Users tended to start at the upper left corner, while more than three in four (77 per cent) patterns started in one of the four corners. Patterns also tended to run either left to right or up and down. Few users doubled back on themselves.

Worst of all, people often chose patterns that matched their initials.

Løge told Ars that equivalent flaws in password selection are being replicated in choosing guessable unlock patterns. "People use the same type of strategy for remembering a pattern as a password," she said. "You see the same type of behaviour."

All these issues arise even before we consider the possibility of physical clues. Writing on the Sophos Naked Security blog, John Zorabedian noted: "Oils in your fingers leave visible streaks on your device screen. If you don't use a complex pattern with backtracks, a thief wouldn't need to guess your pattern – it's right there for anyone to see."

Løge presented her findings at both the DEF CON and BSides conferences in Las Vegas earlier this month, during a talk entitled Tell Me Who You Are, and I Will Tell You Your Lock Pattern.

"You are predictable, your passwords are predictable and so are your PINs," Løge explained. "This simple fact is often exploited by hackers, as well as the agencies watching you."

"Full Disk Encryption won't save you if your lock pattern is L – as in 'loser'," she concluded.

Other researchers have uncovered pattern password security problems affecting Microsoft's mobile technology, but the whole area is under-researched compared with the volumes of studies looking at conventional password slackness. ®

Bootnote

In fairness, it ought to be pointed out that users' predictable lockscreen practices can't be blamed on a lack of advice on the subject from Google. For example, some pointers on choosing harder-to-guess screen lock patterns can be found on a Google Nexus support page here.