Why You Should Never Use Unlock Patterns

The basics of pattern-based security

In order to better understand what the main security issue with using patterns is it’s best to understand this unlocking process.

If this graphical password is chosen to serve as the guardian of an Android device each time the user wants to access the phone or tablet a pattern that touches specific nodes on a grid has to be drawn. The number of available nodes – or dots if you will – is always nine, but the only requirement is that at least four of these nodes are used. This way almost 400,000 different patterns can be created, which doesn’t sound bad at all.

However, a study conducted by researchers of the US Naval Academy and the University of Maryland Baltimore County shows the polar opposite.

Why patterns are too easy to crack

After examining 3,400 Android unlock patterns security experts found out that by doing little more than shoulder surfing – the act of gathering personal information by visual observation – a hacker could have a 64% success rate in guessing the pattern on the first attempt. The results are even more disturbing if the hacker has the opportunity to shoulder surf multiple times, in which case the success rate of reproducing graphical passwords increases to a whopping 80%. In simpler words, unlock patterns are so ridiculously easy to guess that it would only take one glance for wrongdoers to remember and copy them.

These results can be shocking but they shouldn’t be surprising at all, considering that most patterns are quite predictable. They typically go from left to right, and from top to bottom, often formulating letters or simple geometrical shapes.

How to secure smart devices the right way

Although the same study pointed out that turning off the so-called ‘feedback lines’ – those lines that make the pattern visible on the screen – to reduce the chances of having your graphical password cracked, security experts recommend never using this type of authentication no matter how convenient it may seem.

Instead, it’s best to switch to a more secure method of unlocking the screen, namely a PIN code, a password or biometric authentication.

Biometric authentication

This type of authentication is the ideal way of securing devices since it provides a high level of security with the convenience of graphical passwords. Although biometric authenticators are not completely infallible, recreating a user’s face, fingerprint or voice is much harder than guessing a pattern or password.

However, the biggest issue with biometric authentication is its availability: even if all the signs show that sooner or later every device will have this feature, currently biometric authentication is something that only a few users can truly enjoy.

PIN codes and passwords

If the device lacks biometric authentication, then it is still possible to rely on good old PIN codes and passwords, the most common and one of the safest methods of securing online accounts and devices.

And how safe they are? Just for comparison, while the number of possible combinations using all nine nodes in a pattern is roughly 400,000, that same number regarding a nine-digit PIN code is over one billion. This increases even more when a strong password is used, one that uses upper and lower case letters, special characters and even numbers.

Admittedly, remembering strong passwords and long PIN codes can be quite a nuisance, but this is why password managers were created to begin with. Using such a program not only requires users to remember only one password – the master password, which opens the secure password vault – but it can also create unbreakable passwords for online accounts and store additional information, including a secure note containing the PIN codes that are used to unlock the device.