Skip to main content

Not so secure after all — Android Lock Patterns are just as easy to crack as passwords

Jessica Lee Star/Digital Trends
They might seem trickier, what with their dots and lines and patterns, but as it turns out, the lock codes familiar to Android users are just as easy to crack as the alphanumeric ones used by iPhone devotees. One Master’s degree candidate at the Norwegian University of Science and Technology named Marte Løge analyzed no fewer than 4,000 Android lock patterns (or ALPs), and discovered that a whopping 77 percent begin in one of the four corners, and more surprisingly still, nearly half, at 44 percent, started at the top left. So much for creativity, eh?

Just as many traditional passwords begin with “123” or are simply the word “password,” ALPs also tend to follow rather predictable trends. And although the relative newness of ALPs (they were only introduced in 2008) has made them a bit less vulnerable to widespread attack, Løge’s work serves as a sobering reminder of how vulnerable passwords, even the newfangled sort, really are.

Upon presenting her research at PasswordsCon conference in Las Vegas, the graduate student noted, “Humans are predictable. We’re seeing the same aspects used when creating a pattern for locks [as are used in] pin codes and alphanumeric passwords.”

Interestingly enough, Løge found that men and women exhibited different tendencies in terms of password strength and complexity. While both sexes most often created ALPs that utilized just four nodes (there are a total of nine possible on Android devices), men and particularly young men were more likely to choose long and more complicated patterns. Of course, the same pitfall that faces complicated alphanumeric are present in ALPs — the more complicated the password, the more difficult it is to remember.

As such, Løge found that many people seemed to assign numbers to the node, as though it were a phone pad. Or, their patterns closely resembled letters — in fact, 10 percent of the patterns analyzed reflected some part of the alphabet. Speaking to Ars Technica, Løge said, “It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password. You see the same type of behavior.”

So what’s the solution? Løge suggests using patterns that contain a lot of crossover, making them difficult to copy or decipher. You can also turn off the “make pattern visible” setting within the Android, so wandering eyes will have an even harder time seeing what pattern you’ve chosen. But whatever you do, just be wary. Ultimately, ALPs are barely, if at all, more secure than other sorts of passcodes.

Editors' Recommendations

Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Android's answer to 3D Touch may not debut with Android N after all
androids answer to 3d touch may have been delayed iphone 6s plums

One of the neatest features of the iPhone 6S and 6S Plus is 3D Touch. Apple's "taptic" engine -- a combination of over 90 pressure sensors and haptic motors that work in lockstep to mimic the feeling of physical feedback -- enables all sorts of unique interactions with apps and icons. You can "feel" keys on a virtual piano give way as you increasingly apply force, for instance, or "peek" and "pop" into profile previews within Instagram. It's only logical, then, that Google's working on a comparable technology of its own, but it's apparently not going to happen overnight. Tech blog Re/code reports that the Mountain View company's indefinitely delaying support for a 3D Touch-like framework for Android.

The decision appears to be a last-minute one. As early as last month, a development document for the Android N Developer Preview 2, Google's bleeding-edge edition of Android, contained references to gesture-based shortcuts similar to those supported by 3D Touch. It referred to "dynamic" shortcuts that, much like the Mail, Maps, and Music icons on iPhones with 3D Touch support, would respond to interactions beyond simple taps and drags:

Read more
CNBC just made a huge mistake with its password security tool

Supposedly, those who can't do, teach, but when it comes to password protection, CNBC apparently can't do either. In a massive security failure, a CNBC columnist attempted to drive a point home regarding password strength, but instead shared participants' passwords with third-party marketers. So if you entered your password into CNBC's supposedly protected tool, you may want to consider changing your codes.

It all started with a well-intentioned CNBC article in The Big Crunch, which included an interactive tool that would test the security of readers' passwords. Once you entered your chosen string, the site determined how common your password was, how long and varied the characters involved were, and ultimately, how secure it was. The problem, however, was that no matter how secure your password may have been before you submitted it, CNBC then proceeded to share it (unbeknownst even to the company, it would seem).

Read more
Need a secure password? Use patterns and icons
have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we

In the never-ending battle for digital security, finding and remembering a good password seems to be the bane of our collective existences. After all, the most secure password is one that we can't remember, and the most memorable ones are easily hacked. So what's to be done? According to researchers at Plymouth University, we just need to start using patterns and images instead of letters and numbers. In a system known as GOTPass, users employ "images and a one-time numerical code" in order to secure important information. And if scientists are to be believed, this is a much safer alternative to currently available methods.

"Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password's vulnerability is well known," said study lead and PhD student Hussain Alsaiari. "There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus."

Read more