Ars Technica reports that Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, analysed the usage of lock screen patterns on Android devices as part of her master’s degree. Lock screen patterns were introduced in 2008 and quickly became a popular alternative to PIN codes or passwords.
Android provides nine “nodes” for users to connect as they choose. If all nine are connected then there are 140,704 possible combinations, giving a high degree of security.
However, Løge found that most people only actually use five nodes, giving a maximum of 7,152 combinations – just 5% of the possible total if everybody used all nine. A “significant” proportion of patterns studied used just four nodes, where only 1,624 combinations are possible. This makes the patterns much more predictable.
Løge also discovered that 77 percent of all used patterns began at one of the corners of the display. 44 percent began at the top-left. This predictability means that patterns, previously thought to be a relatively protective security method, could one day face the same over-use issues as passwords like “123abc”, “1234567” and “p@$$w0rd”.
Males are apparently much more likely to choose long, complex patterns than females. Males are more likely to complicate and add more nodes whereas hardly any females used cross-overs or direction changes when creating a lock screen pattern.
More than 10% of studied patterns were based around a letter of the alphabet. Like with passwords, the letter often related to a loved one or other personally significant item.
For reasons that still cannot be explained, Løge found that both males and females stay away from eight-node patterns where possible. Both sexes were “two to four times” more likely to use nine nodes than eight, although the former does not actually offer more combinations.
Løge said of her study: “Humans are predictable. We’re seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords. It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password. You see the same type of behavior.”
To increase security, people should try to use as many nodes as possible when creating a new lock screen pattern. Cross-overs and direction changes should be used, preferably multiple times, to make it more unique and lower of the risk of a person looking over a shoulder seeing the entire thing.
