A while back, I woke up to find my Android phone lingering at a pattern unlock; not just to unlock my screen, but to decrypt all of my phone’s data. I was puzzled. Every other morning, I decrypted my device using a 10-digit, alphanumeric passphrase—something I perceived, accurately, as being infinitely more secure than tracing a dumb 6-point pattern with my finger.
As it turned out, my phone had gone through a software update after I fell asleep and this was one of its new features. I couldn’t figure out why, but my phone had significantly downgraded my security. Stupid, stupid phone.
A joint study published this week by researchers at the US Naval Academy and the University of Maryland Baltimore County offers further proof that using a unlock pattern is an incredibly dumb way to secure a mobile device. First reported by Wired, the study shows that around two-thirds of people are able to recreate patterns after watching others input them once, even from five or six feet away. This is opposed to a six-digit PIN code, which only 1-in-10 subjects could recreate after a single look.
The reason is fairly obvious; human brains are specifically wired to recognize and recall patterns. In fact, our proclivity for patterns is one of the neat things that sets us apart from the rest of the animal kingdom. It is inherent to our unique intelligence. Accordingly, a secret passphrase should not be something a stranger on a train can memorize after seeing you input it once from six seats away.
According to study, 1,173 subjects took part in the tests. Each was exposed to controlled videos depicting people unlocking their phones from a variety of angles. They were then asked to try and guess PINs and unlock patterns. After two viewings, around 80 percent of the subjects could reproduce the pattern; 64 percent could do it after one viewing. Even after watching someone enter a six-digit PIN twice, only 27 percent of the subjects could reproduce it correctly.
Here’s what those viewing angles look like, taken from a copy of the research published on the Naval Academy’s website:
The overall goal, the researchers wrote, was to “establishing baselines for how current authentication performs against shoulder surfing, as well as provide insight into settings of current authentication that can protect users from shoulder surfing.” (The study’s authors are Adam Aviv and John Davin of the US Naval Academy and Ravi Kuber and Flynn Wolf of the University of Maryland Baltimore County.)
If that’s not enough, a 2015 study showed that a majority of users only use four nodes for pattern unlocks, and roughly 77 percent always start their patterns in one of the four corners; almost half start in the upper left-hand corner. And whether they realize it or not, around 10 percent of users prefer to use the shape of a letter. We humans are incredibly predictable.
This all may seem a bit obvious, but perhaps knowing a controlled study exists that backs up your well reasoned assumptions is enough to ward you off pattern-based passwords. A six-digit PIN might take a fraction of a second longer to input—UGH, so long—but it’s better than having your phone stolen and all your freaky photos dumped online. Think about it.
Correction: A previous version of this article stated that researcher Flynn Wolf was from the US Naval Academy. He is from the University of Maryland Baltimore County. We regret the error.