User Panel

Pattern Locks Are Not Secure!

If you have a pattern password on your Android, it is strongly suggested you change it to an alphanumeric password because patterns are incredibly insecure.

There is a good likelihood that of those reading this article, especially those not familiar with cybersecurity and just starting out, have used patterns as a means to unlock a device at one point or another. In fact, even among engineers and developers, many use patterns, unaware of the consequences of their use.

Patterns are nothing but bad news…

Let us look at some statistics about pattern recognition and why the statistics tell us that pattern locks are not secure.

According to a study by security researchers at the US Naval Academy and the University of Maryland Baltimore County in 2017, found that a casual, nearby, observer can visually pick up patterns and, two of every three, replicate it after a single viewing; and this is from five or six feet away.

Why? Well, because it turns out that patterns are very memorable, maybe too memorable. The very strength of visual patterns are also their weakness.

The study recruited 1,173 subjects to watch a number of carefully controlled videos of unlocking (devices being unlocked) online and asked the subjects to try guessing pins and unlock patterns. The videos presented to the subjects, were shot, sometimes from as many as five different angles and/or distances, in a way that averaged out those variables.

Specifically, the study found that 64% of the online test subjects were able to reproduce a six-point pattern after only one viewing (some video, some in person). Even more eye-opening, is that 80% were successful after two viewings. So next time you unlock your device around other individuals or in public places were cameras and prying eyes, think twice. Just unlocking your phone twice in such an environment would allow four out of the five people near you the ability to unlock your device in fewer tries than your phone would lock them out.

An interesting point however, was that the study reported only 11% of subjects successfully guessing a 6 digit pin numeric passcode with a single viewing of a video and only 27% after two viewings.

The good news, however, is if you are REALLY attached to your pattern and cannot get yourself to give it up, you can take some solace in this; turn off the “feedback” lines that trace your fingers path. The study reported that with “feedback” off, only 35% of the online subjects could identify the patterns in the videos.

To remove the “feedback” lines:

Settings > Lock Screen and Security > Secure lock settings, and turn off the Make pattern visible option.

* Please note that depending on the version of Android and skin (such as Samsung) or manufacturers may require slightly different steps.

Pictured above are what 10% of people use for their pattern. It turns out that one in ten pattern users like to use patterns that mimic letters.

Most people, about 45% of them,  start their patterns from the top-left corner, and about 77% of all users start from one of the four corners.

What is even worst, however, is that most users only use 5 or less nodes, with a significant number of them using just four. This is a problem because the number of permutations of a four node pattern is significantly less than that of a pattern of five nodes.

So what should you do?

Well, for staters, if you have made it this far and have not opted to simply disable the “feedback” feature and move on in your life, you should opt to use a secure alphanumeric password which we discuss in another blog: Set a Complex iPhone Password.

If you use biometrics, then you can rest a bit easier since biometrics, while they can still be spoofed, require much more work and are typically not what hackers confront first. However, considering that most devices fall back on pin/pattern security when biometrics fail, it might be a good idea to make sure your “feedback” feature is off and that your pattern has at least six nodes and your pin is at least six digits.

No Comments

Post A Comment