back to article Android in user-chosen lockscreen patterns are grimly predictable SHOCKER

People choose predictable Android lock screen patterns just like they pick predictable passwords. Research by Marte Løge, a recent graduate from the Norwegian University of Science and Technology, confirmed that the problems people have in setting up secure passwords and PINs are replicated in the field of Android lockscreen …

  1. Anonymous Coward
    Unhappy

    It has to be said....

    ...the slide to join the dots method, seems to be far more insecure.A quick look at my phones reinforces this.

    One is slidey pattern, one is number pad.

    On the slidey pattern one, I can clearly see my unlock pattern. I wipe it at least once a day, but still makes no difference,

    On number pad one, I can see the numbers, but not what order and and how many times. As its an 8 digit code, it is much harder to guess, but still within the realms of possibility as you can rule out certain numbers that are clearly not used.

    1. DropBear

      Re: It has to be said....

      And that's exactly why I abandoned the "join the dots" lock after about five minutes - it was obviously leaving visible smear-marks. The thing is, I kept the exact same pattern (admittedly fairly simple - yes, it's a letter although 'drawn' non-contiguously) only now I enter it on the number pad, and considering it uses 8 digits out of the 10 I still think it's not all that easy to find. I concede it's breakable in less time it would take brute-forcing an 8-digit number - on the other hand, the phone starts slowing you down after a few failed attempts so if you manage to break it I probably have bigger problems than that. The only downside is I have absolutely no clue what my lock expressed digit-by-digit is...

    2. MikeS

      Re: It has to be said....

      just wondered are you comparing and 8 digit number to an 8 point 'slidey' pattern, or to a simpler pattern? . BTW using 8 digit passcode wow, unless its 12345678 of course :-)

      I just checked my 'slidey' pattern , pleased to find its 7 points doubles back & doesn't start at a corner phew! I can 'draw' it much quicker than i can enter 7 random digits.

      to be fair , both systems have their weaknesses, but thats mostly with the users rather than the technology.

    3. Anonymous Coward
      Anonymous Coward

      Re: It has to be said....

      I use the "password" option with the "Hacker's Keyboard" on-screen keyboard, so the keys are reasonably close together.

      You've got 8 characters to guess from the smear marks, some of which will be close to other smear marks.

      Yes, secure sometimes means slow, and it can be a hassle if I'm trying to unlock the screen whilst standing in the rain.

  2. John Robson Silver badge

    PIN generation

    I use my RSA token.

    I have between 10 and 15 pins which have been generated this way, and yes I can remember them. Takes a little while to start with, but we can recall short numbers with a fair degree of success. Then again i remember phone numbers as well...

    1. Anonymous Coward
      Anonymous Coward

      Re: PIN generation

      https://www.reddit.com/r/iamverysmart/

    2. BasicChimpTheory

      Re: PIN generation

      I just entered my RSA token into an online password strength checker. The result was "It would take a desktop PC about 0.00025 seconds to crack your password". I realise that you're talking about a phone pin but that's a solved problem now. The pretty much only thing preventing the cracking time being achieved is the physical input.

      1. John Robson Silver badge

        Re: PIN generation

        Hardly a surprise there...

        The limitations are in terms of allowed attempts etc.

        And how exactly do I use upper and lower case letters on my debit card pin?

      2. Annihilator
        Thumb Up

        Re: PIN generation

        I just entered my RSA token into an online password strength checker. The result was "It would take a desktop PC about 0.00025 seconds to crack your password".

        And can a desktop PC type all those pins into a phone in 0.00025 seconds?

        You can do the old "lock/wipe phone after x tries". On a bank card, it's 3 attempts. On an iPhone for example, you can do 10. But assuming a 4-digit pin, and assuming you can see the grease marks of which keys are involved, there are only 24 permutations if you know the 4 digits used, so with 10 attempts, you've got an almost 50% chance of unlocking the phone.

        The really strange quirk, it's harder to guess if you have a repeated pin number (1123) as the grease marks only show 3 keys, but not which is repeated - there are 36 permutations if you only know the pin contains the numbers {1, 2, 3} (12 permutations if 1 is repeated, 12 if 2 is repeated and 12 if 3 is repeated). If there are only 2 digits used, there are 14 permutations, as you don't know if both digits are doubled, or if one is tripled.

        It's not intuitive to think, but for 4-6 digit passcode, use 1 fewer digits. For 7+, use 2 fewer.

        1. Jediben

          Re: PIN generation

          Thank god you are allowed to leave grease marks on your phone whenever and wherever you want and not just when unlocking it then!

      3. Michael Wojcik Silver badge

        Re: PIN generation

        I just entered my RSA token into an online password strength checker. The result was "It would take a desktop PC about 0.00025 seconds to crack your password". I realise that you're talking about a phone pin but that's a solved problem now. The pretty much only thing preventing the cracking time being achieved is the physical input.

        Congratulations on successfully comparing apples to oranges.

        Actually, "oranges" is too generous. Let's call it apples to giraffes.

        Simplistic password strength checkers are only marginally useful, since they rarely say what threat model they're addressing - online or offline attack? does the attacker know the hash algorithm? are hashes salted? if not, does the attacker have precomputed rainbow tables? And so on.

        But in any case, it's obvious from the response that it's testing something completely unrelated to any sensible model that applies here. If you're in a position to brute-force a phone PIN with negligible delay between attempts, then it's pointless to talk about "strength". If you're not in such a position, then there's no hash to find a preimage collision against, and again it's pointless to talk about "strength".

        Any way you look at it, it's a meaningless result.

  3. GregC

    Depressingly unsurprising

    Everyone I know that uses pattern unlock does the same thing - first initial. The fact that they have no problem not only doing this, but letting everyone in earshot know it, is even worse.

    I've come to the conclusion that most people simply don't care and/or understand about their own security and privacy.

    1. werdsmith Silver badge

      Re: Depressingly unsurprising

      I do.

      But I don't keep anything on my phone worth anything to anyone.

      Like carrying an empty wallet.

  4. Mephistro

    I use both...

    ... the numerical code and the sliding pattern (a complex one). The main advantage of using both methods is that the sliding pattern covers/obscures most marks potentially left when entering the numerical code. This protects my phone against the thermal camera method recently described in other Elreg article, and from analysing scratch marks on the screen.

    The downside? it takes longer, and friends and family scoff me for taking so long to unlock my phone, and also for doing it always while no one except me is able to watch the screen. Another case of peer pressure working against security.

    I also change the pattern and code every two months or so, which is a PITA.

    Anyway, after going through all this, I don't feel my phone is 'safe'. I try to keep personal/sensitive data out of my phone as much as I can, switch on geolocation only when I needed, and so on.

    What? Paranoid, me? :O)

    1. scrubber
      Big Brother

      Re: I use both...

      "What? Paranoid, me? :O)"

      You may think paranoia is funny, but such security measures are actually a red flag to the authorities and consequently you are being more intensely spied upon than the mopes who leave their phones/accounts with simple to hack passwords.

      Apropos of nothing, I recall an FBI advert about actions that were suspicious and might be used by terrorists - one of them was paying for things using cash.

  5. John Sanders
    Devil

    Rain is wet...

    Roses are red.

    Passwords are weak.

    Slow summer day.

  6. Yugguy

    Give us more dots

    Then we can draw a cock and balls.

    Although that would make it more insecure as it would be EVERY bloke's pattern.

  7. This post has been deleted by its author

  8. Just Enough

    I'm guessing this is a joke. Right?

    "In fairness, it ought to be pointed out that users' predictable lockscreen practices can't be blamed on a lack of advice on the subject from Google. For example, some pointers on choosing harder-to-guess screen lock patterns can be found on a Google Nexus support page here."

    And Google's entire advice regarding patterns there?

    "Pattern lets you draw a simple pattern with your finger to unlock the device." (Bold emphasis mine.)

    1. Robert Helpmann??
      Childcatcher

      Re: I'm guessing this is a joke. Right?

      "Pattern lets you draw a simple pattern with your finger to unlock the device."

      Yeah, I looked at the link, too, and was similarly underwhelmed. I decided to do a little more looking, though, and found that unless it's been patched in the past couple of years, the way the system stores pattern info is less secure that it does with PINs.

      Source: Android Forensics: Cracking the Pattern Lock Protection Forensics, August 19, 2013

  9. sabroni Silver badge
    Unhappy

    re: Bootnote, in fairness to Google

    Fuck fairness to Google.

    This is a slippery slope elReg, I'm not sure why you thought this was necessary. Are all security articles to come with links to associated best practices? This just makes it look like you're worried Google might get upset with you. Never seems to bother you with Apple or MS (but then, they don't effectively own internet search)...

    1. Dan 55 Silver badge

      Re: re: Bootnote, in fairness to Google

      In fairness to Google they should bin pattern unlock with Android M.

    2. Craigness

      Re: re: Bootnote, in fairness to Google

      downvoted because you didn't read the "best practice"

  10. MojoJojo

    Use for NFC?

    Quick and secure way of unlocking. Although I suppose it goes against the 2-factor principal - if they can steal your phone they can steal the tag.

    Shame you have to jailbreak android to get it to work at the moment.

    1. MikeS

      Re: Use for NFC?

      the smart lock feature in Lollipop achieves this no need to 'jailbreak' as you put it (Jailbreak'ing is what you do in iLand)

      smart lock lets you define certain locations/situations in which the phone will not lock, eg when I have mine connected to my home wifi or when its paired my cars bluetooth it doesn't lock,, but when its moved away (or not connected) then it locks automatically.

      1. Brangdon

        Re: Use for NFC?

        I tried Smart Lock and found it didn't work. Specifically, the "trusted places" part was not accurate enough. It seemed to be based on the generic Android location service, which seems to use cell towers, which can be wrong by 100s of yards. I don't see an option to require a specific WiFi connection.

        Also, it would unlock automatically whenever it thought it was close to the location. That's unsafe: someone could steal my phone and unlock it just by standing outside my house. Smart lock should never unlock. Instead it should merely prevent the phone from relocking (after being unlocked manually).

        I previously used an app called Unlock with Wifi that got all this right. That app doesn't work with Lollipop, because the author is a tit. Currently I use Llama instead.

        1. SEDT

          Re: Use for NFC?

          "Smart lock should never unlock. Instead it should merely prevent the phone from relocking (after being unlocked manually)."

          Um, that's exactly how Smartlock works on my One+ running stock Lollipop

    2. Roland6 Silver badge

      Re: Use for NFC?

      >they can steal the tag

      Not so easy if it is under the skin...

  11. Simple Si
    Alert

    Tapping in pin in cinema

    The default touch response on some devices doesn't seem to help either - I was in the cinema earlier this week and just before the film started most of the audience were on their mobiles. It was easy to spot the pin number in use by the guy in front unlocking his phone due to the numbers flashing when they were touched. Wondered if that happened to be the same pin for his bank card... I think the elevated, shoulder surfing position in the cinema makes it an easy place for your pin to be compromised.

    .

    1. Dan 55 Silver badge

      Re: Tapping in pin in cinema

      What Android needs is an option on the security settings screen which automatically sets everything to their most secure settings, or simply not offer them in the first place.

      1. Michael Wojcik Silver badge

        Re: Tapping in pin in cinema

        This is precisely why I haven't been in a movie theater in years.

        Not because I'm worried someone will shoulder-surf my phone password - all the idiots on their phones. In my experience, most of them can't stay off the damn things while the film is playing either.

  12. hitmouse

    My complex pattern is a nightmare when the screen is even the tiniest bit moist (a raindrop screws it up) and any double-back just gets lost. A disconnected numeric pin is much easier to manage in such a circumstance.

  13. Julian Bradfield

    Yawn. I lock my phone at all (with a simple pattern) solely because it's the only way to stop the damn thing unlocking itself in my pocket. If my phone gets stolen, there are a couple of passwords I need to change as soon as practicable, but that's it. The Google account associated with it contains only my calendar, which is not sensitive.

  14. cbars Bronze badge

    is that number right?

    I've obviously not thought about this properly, but I'm sure the permutations of patterns possible is much lower than the number quoted. In my mind, the number of permutations should be 9! - 3!

    Plus, all the droids I've owned would not let you slide from the bottom to the top (left right, etc) without touching the middle dot.

    That would further reduce the number of possible patters. I would be surprised if there were 389112 combos.

    Leaving aside all the smear tricks etc, I still use the pattern as its easier than numbers with one hand, and is 'good enough' for me (and the attack vectors I regard as... likely; shame on me. I should know better).

    1. John Robson Silver badge

      Re: is that number right?

      @cbars - touching the middle dot

      The middle dot is easy to avoid, you don't have to drag in a straight line...

  15. James O'Shea

    Errm...

    I don't know why anyone would use the pattern feature, it's so obviously easily broken. Same with why anyone would use the fingerprint reader on iPhones and some Androids, the complete and total lack of security for that 'feature' is blindingly obvious. Personally, I have configured my devices (two iPhones and an iPad) to use the 'advanced' security feature, which allows me to avoid the easily broken four-digit, all-numerical, PIN code (only slightly more secure than the pattern or the fingerprint reader) and to use instead an alphanumeric combination of my choice. I currently have a ten-character code, nine letters, two of them uppercase, seven lowercase, plus one number. The number and the uppercase characters are not the first or the last characters. Two letters are duplicated; one is both an uppercase and a lowercase character, one is just lowercase in both instances. The overall passphrase is based on a phrase from <name of language redacted>; one of the guys on my floor while I was at uni was a native speaker of that language, and I made note of certain phrases, transliterated into the Latin alphabet. I deliberately misspelled this particular phrase. To guess it, someone would have to know which language I started out with, how and why I changed the transliteration, the strange capitalisation I used, and where I put the number. I use other phrases from that language, again deliberately misspelled, as 14 to 18 character passphrases for things I'd like to be fairly secure. There are less than a 100,000 native speakers of that language and it does NOT use the Latin alphabet, so in this case even the starting point is rather obscure. Yes, it can be hacked, if someone goes to enough trouble. But they're really going to have to want to get onto MY stuff in particular to do that. Easier to go after someone else's stuff. Such as stuff 'protected' by a pattern or a fingerprint.

    I assume that Android has a feature similar to this. (If not, why the hell not?) I used to have an Android phone, but it was so annoying to use (it froze. All the time. This was actually great security, in that it was unusable... except that I couldn't use it either) that I dumped it and replaced it with an iPhone. I never did get around to setting up security beyond the 4-digit PIN, not that it mattered as I never put anything important on that useless hunk of plastic.

    1. MikeS

      Re: Errm...

      >.......I assume that Android has a feature similar to this.........

      it does.

      (short reply)

    2. werdsmith Silver badge

      Re: Errm...

      " I currently have a ten-character code, nine letters, two of them uppercase, seven lowercase, plus one number. The number and the uppercase characters are not the first or the last characters. Two letters are duplicated; one is both an uppercase and a lowercase character, one is just lowercase in both instances."

      That kind of start would have been a feast of useful information to the folks at Bletchley Park in the 40s. A massive headstart.

      Seriously, if you need to go that far to keep your phone secured then you need to have a think about what you are needing to hide on your phone. Phone security devices like fingerprint readers are there to help stop your mates from posting embarrassing stuff under your Facebook account. I don't think consumer phones were ever intended to hold Snowdenesque information.

      Just avoid online banking apps and the like and the whole paranoia thing becomes unnecessary.

    3. John Robson Silver badge

      Re: Errm...

      @ James O'Shea

      That's a HUGE amount of information you just gave out.

      There aren't that many languages with <100k native speakers in the world, you've massively reduced the space of the search.

      Actually you've managed to reduce it seriously,even ignoring the language thing:

      9 letters -> 26^9

      1 number -> 10^1

      position of number -> 10^1

      position of capitals -> 9*8 (since one position is taken by a number)

      That's a pretty small search space compared with the scale of the attack before you published your method.

      Now let's asusme that I care, and figure where you went to uni - I reckon I could guess the language, or at least limit it to one or two.

      Then look at some stats about transliterated letter combinations.

      [If you see a q in english then the next letter is au - 99+% of the time, so the next letter isn't a choice of 26, it's bascially a choice of 1]

      Then I've probably cut the search space by another significant factor - maybe 10?

      1. Michael Wojcik Silver badge

        Re: Errm...

        That's a HUGE amount of information you just gave out.

        Still has about 56 bits of entropy, which is a big search space if you can't mount an offline or fast online attack.

        If you're in the position to mount an offline attack, you probably already have read access to the data in the phone, so that possibility is not interesting in most cases. Maybe there's encrypted storage on the phone with potentially interesting data and the best attack on that is to brute-force the password, but we're talking about a pretty narrow case there.

        The device could have protection against fast online attacks, and the cost of creating the necessary equipment to mount them is likely to be significant.

        Sure, his description reduces the search space significantly. Does it reduce it usefully? Not under most sensible threat models, I'd say.

  16. Madboater

    I wasn't aware the lock pattern was for security!

    Its to stop your children from accessing my phone or the phone dialing stuff while in your pocket. It also keeps out about 80% of family and friends on a night out. Saying that, I can't see any obvious "line" on my screen.

    1. Semaj

      Re: I wasn't aware the lock pattern was for security!

      Exactly this. I'm fairly sure that most of the contents aren't encrypted anyway, especially the stuff on the SD card. So what difference does it make?

    2. druck Silver badge
      Holmes

      Re: I wasn't aware the lock pattern was for security!

      I only put a lock pattern on when my son turned one and started to dial numbers every time he picked up the phone. However, he found out how to dial emergency contacts without unlocking before I did. Now he's two he can copy the patterns with ease.

    3. Lamont Cranston

      Re: I wasn't aware the lock pattern was for security!

      I only went with a pattern screen lock on my tablet to keep the kids off it - total fail as they sussed the "follow the greasy line" method very early on. I have found that it's sufficient to keep my wife out of my phone, though!

    4. Michael Wojcik Silver badge

      Re: I wasn't aware the lock pattern was for security!

      It also keeps out about 80% of family and friends on a night out.

      And if you lose the phone and some random ne'er-do-well picks it up, it will likely be enough of a hassle to stop him (or her) from using it, in the window before you have it disabled. Even if you don't keep sensitive information on the phone, it's likely worthwhile putting up a bit of a barrier just to prevent that annoyance.

      I've never lost a phone myself, but I know a few people who seem to make a habit of it.

  17. asdf

    android full disk encryption is a joke anyway

    Let see Android full disk encryption causing a massive performance hit on most hardware. Check. Such a performance penalty many handsets are now not using by default. Check. Also incredibly flaky on aftermarket Lollipop Roms check. FDE is one area where Android badly lags its competitors.

  18. Bucky 2

    Say what? Double back?

    From my phone's steadfast unwillingness to accept a pattern that revisited a node, I though it wasn't allowed.

    This in turn made me assume the pattern unlock was just a casual defense against butt dialing.

    I am a stupid, stupid man.

  19. Frumious Bandersnatch

    another option

    Let users design their own lock screen based on photos and clip art. Present a grid with 3x3 or more pictures and use a series of gestures rather than one continuous swipe. Mostly based on dragging pictures around, but allow a few distinct gestures such as:

    * wiggling an icon

    * dragging an icon onto another (possibly from different angles)

    * circling an icon around another

    * "throwing" an icon or moving it out of the grid area

    Each step would map to a simple subject-object-verb or subject-verb action, which could be easily memorised, even with fairly long chains.

    To guard against the smudge attack, the pictures/icons could be randomised. It should be easier to find pictures among a random grid than it would be to hunt out a particular number.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon