Not so secure after all — Android Lock Patterns are just as easy to crack as passwords

They might seem trickier, what with their dots and lines and patterns, but as it turns out, the lock codes familiar to Android users are just as easy to crack as the alphanumeric ones used by iPhone devotees. One Master’s degree candidate at the Norwegian University of Science and Technology named Marte Løge analyzed no fewer than 4,000 Android lock patterns (or ALPs), and discovered that a whopping 77 percent begin in one of the four corners, and more surprisingly still, nearly half, at 44 percent, started at the top left. So much for creativity, eh?

Just as many traditional passwords begin with “123” or are simply the word “password,” ALPs also tend to follow rather predictable trends. And although the relative newness of ALPs (they were only introduced in 2008) has made them a bit less vulnerable to widespread attack, Løge’s work serves as a sobering reminder of how vulnerable passwords, even the newfangled sort, really are.

Upon presenting her research at PasswordsCon conference in Las Vegas, the graduate student noted, “Humans are predictable. We’re seeing the same aspects used when creating a pattern for locks [as are used in] pin codes and alphanumeric passwords.”

Interestingly enough, Løge found that men and women exhibited different tendencies in terms of password strength and complexity. While both sexes most often created ALPs that utilized just four nodes (there are a total of nine possible on Android devices), men and particularly young men were more likely to choose long and more complicated patterns. Of course, the same pitfall that faces complicated alphanumeric are present in ALPs — the more complicated the password, the more difficult it is to remember.

As such, Løge found that many people seemed to assign numbers to the node, as though it were a phone pad. Or, their patterns closely resembled letters — in fact, 10 percent of the patterns analyzed reflected some part of the alphabet. Speaking to Ars Technica, Løge said, “It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password. You see the same type of behavior.”

So what’s the solution? Løge suggests using patterns that contain a lot of crossover, making them difficult to copy or decipher. You can also turn off the “make pattern visible” setting within the Android, so wandering eyes will have an even harder time seeing what pattern you’ve chosen. But whatever you do, just be wary. Ultimately, ALPs are barely, if at all, more secure than other sorts of passcodes.