For The Love Of All That Is Holy, Stop Using Pattern Unlock 

A while back, I woke up to find my Android phone lingering at a pattern unlock screen. Not just to unlock my screen, but a prompt to decrypt all of my phone's data. I was puzzled. Every other morning, I decrypted my device using a 10-digit, alphanumeric passphrase -- something I perceived, accurately, as being infinitely more secure than tracing a dumb pattern with my finger.

Photo: Getty

As it turned out, my phone had performed a software update and this was one of its new features. I couldn't figure out why, but my phone had significantly downgraded my security. Stupid, stupid phone.

A joint study published this week by researchers at the US Naval Academy and the University of Maryland Baltimore County offers further proof that using a unlock pattern is an incredibly dumb way to secure a mobile device. First reported by Wired, the study shows that around two-thirds of people are able to recreate patterns after watching others input them once, even from five or six feet away. This is opposed to a six-digit PIN code, which only 1-in-10 subjects could recreate after a single look.

The reason is fairly obvious; human brains are specifically wired to recognise and recall patterns. In fact, our proclivity for patterns is one of the neat things that sets us apart from the rest of the animal kingdom. It is inherent to our unique intelligence. Accordingly, a secret passphrase should not be something a stranger on a train can memorise after seeing you input it once from six seats away.

According to Wired, 1173 subjects took part in the tests. Each was exposed to controlled videos depicting people unlocking their phones from a variety of angles. They were then asked to try and guess PINs and unlock patterns. After two viewings, around 80 per cent of the subjects could reproduce the pattern; 64 per cent could do it after one viewing. Even after watching someone enter a six-digit PIN twice, only 27 per cent of the subjects could reproduce it correctly.

Here's what those viewing angles look like, taken from a copy of the research published on the Naval Academy's website:

Towards Baselines for Shoulder Surfing on Mobile Authentication - United States Naval Academy.

The overall goal, the researchers wrote, was to "establishing baselines for how current authentication performs against shoulder surfing, as well as provide insight into settings of current authentication that can protect users from shoulder surfing." (The study's authors are Adam Aviv, John Davin, and Flynn Wolf from the US Naval Academy and Ravi Kuber of the University of Maryland.)

If that's not enough, a 2015 study showed that a majority of users only use four nodes for pattern unlocks, and roughly 77 per cent always start their patterns in one of the four corners; almost half start in the upper left-hand corner. And whether they realise it or not, around 10 per cent of users prefer to use the shape of a letter. We humans are incredibly predictable.

This all may seem a bit obvious, but perhaps knowing a controlled study exists that backs up your well reasoned assumptions is enough to warn you off pattern-based passwords. A six-digit PIN might take a fraction of a second longer to input -- UGH, so long -- but it's better than having your phone stolen and all your freaky photos dumped online. Think about it.

[Wired, US Naval Academy]



    It really depends on how secure you need(want) your device to be. I use pattern unlock, but there is nothing on my phone I'm worried about. About the most valuable thing on it would be my Angry Birds progress or maybe some photos of my dog. I could probably leave it completely unlocked but habit makes me set at least some security.

    I like the fact that we have a variety of options. So someone who doesn't need security can go without and you can go all the way up to biometric security if you really desire.

      Spot on. I use pattern unlock purely to prevent my 3 year old from stealing my phone to watch ABC Kids.

    On top of this, it's easier to lift a pattern from the smudges on the screen.
    That said, is it true that digital forensic cracking software has a harder time with patterns than traditional passcodes?

    I never use anything. What a pain in the butt typing or swiping a bloody code just to look at your screen.
    Swiping up is a step too much.

    This article is meant for those readers who are concerned about smartphone security. So those readers (like skrybe and stubi (who have commented before me)) who are not concerned about the issue can safely ignore it.
    However, being forewarned, forecautioned is being forearmed... and that is the point of the article... and it is a good, nay, great, point. Who knows one day you really may use your smartphone for some critical work and wouldn't like your contact details to be read by anyone else.
    Also, though you may not need security yourself (which is great!) you may find yourself in a situation where you are called upon to "dish" out smartphone security advice to.. to.. may be your young children or wards, or may be to your seniors who could be vulnerable to smartphone theft or unauthorized access (hacking?).
    Anyway, I think that this article will help more people to be aware of security features for their own safety.

    It's very secure if you're someone like Cassandra Sainsbury, even for yourself when you can't remember what your passswipe was

    You don't have to use connected patterns. You can go from one to another skipping those directly in between. It may be easier for some to use two fingers/thumbs to do this. e.g. press one of your spots with first finger, press the next spot with the second, then only lift off with the first finger.

Join the discussion!

Trending Stories Right Now