The abundance of password leaks over the past decade has revealed some of the most commonly used—and consequently most vulnerable—passphrases, including "password", "p@$$w0rd", and "1234567". The large body of data has proven invaluable to whitehats and blackhats alike in identifying passwords that on their face may appear strong but can be cracked in a matter of seconds.

Now, Android lock patterns—the password alternative Google introduced in 2008 with the launch of its Android mobile OS—are getting the same sort of treatment. The Tic-Tac-Toe-style patterns, it turns out, frequently adhere to their own sets of predictable rules and often possess only a fraction of the complexity they're capable of. The research is in its infancy since Android lock Patterns (ALPs) are so new and the number of collected real-world-patterns is comparatively miniscule. Still, the predictability suggests the patterns could one day be subject to the same sorts of intensive attacks that regularly visit passwords

Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, recently collected and analyzed almost 4,000 ALPs as part of her master's thesis. She found that a large percentage of them—44 percent—started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier.

"Humans are predictable," Løge told Ars last week at the PasswordsCon conference in Las Vegas, where she presented a talk titled Tell Me Who You Are, and I Will Tell You Your Lock Pattern. "We're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords."

ALPs can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point. Here's the breakdown:

Length Number of combinations 4 1,624 5 7,152 6 26,016 7 72,912 8 140,704 9 140,704

As part of her thesis, Løge asked subjects to create three ALPs, one for an imaginary shopping app, a second for an imaginary banking app, and the last to unlock a smartphone. Sadly, the minimum four-node pattern was the most widely created one by both male and female subjects, followed by five-node ALPs. For reasons Løge still can't explain, eight-node patterns were the least popular, attracting significantly fewer subjects than nine-node choices, even though both offered the same number of possible combinations. The slide below contrasts choices of males on the top with those of females below, showing that the former were much more likely to pick longer patterns over shorter ones.

Males were much more likely than females to choose long and complex patterns, with young males scoring the highest.The slide below illustrates the overall breakdown between men's and women's choices differently.

Keep it complex

Løge said the number of nodes isn't the only thing that determines how susceptible an ALP is to guessing attacks. The specific sequence of nodes is also key in how complex a pattern is. Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction. A team of researchers formalized this scoring system in a 2014 paper titled Dissecting pattern unlock: The effect of pattern strength meter on pattern selection.

With minimum possible scores ranging from a minimum of 6.6 and a maximum of 46.8, the average score in her study was just 13.6. The highest score measured in the study was 44.4. "Patterns with high complexity scores, people are not able to remember," Løge said. Compared with females, males picked more complex patterns, such as those with a 2, 3, 1 sequence. Almost none of the female respondents chose such crossovers.

Weakest link

Data breaches over the years have repeatedly shown some of the most common passwords are "1234567", "password", and "letmein". Løge said many ALPs suffer a similar form of weakness. More than 10 percent of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

"It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password," Løge said. "You see the same type of behavior."

Attackers might be able to vastly improve their ability to predict ALPs by gathering large numbers of them and building what scientists call a Markov model. Her research didn't focus on methods for cracking patterns because of ethical considerations concerning the security of her subjects.

Surprise

One of the study's biggest surprises was the minimal use of eight-node patterns, by both males and females. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.

Løge had several suggestions for ways to make ALPs more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.