We’re pretty terrible at coming up with good passwords, but if you thought we were better when it comes to Android lock patterns, you’d be wrong. New research shows that the tic-tac-toe style patterns people devise to unlock their phones often follow dismally predictable rules.

ALPs can contain a minimum of four nodes and a maximum of nine, for a total of nearly 400,000 possible combinations. That’s a lot of potential passwords! But when Martle Løge of the Norwegian University of Science and Technology analyzed over 4,000 ALPs for her master’s thesis, what she found was a pretty sorry state of affairs. A full 44 percent of ALPs started in the top left-most node of the screen, while 77 percent started in one of the four corners. Very often, patterns moved from left to right and top to bottom. And a large percentage of the patterns had only four nodes, dramatically shrinking the pool of available combinations.


People tended to stay away from patterns that involved changes in direction, which tend to be less susceptible to guessing attacks. The two patterns on the right of the image below, for instance, produce a higher “complexity score” than the patterns on the left:

Time and again, data breaches show us that people love to use ridiculously bad passwords, a la “1234567” and “letmein.” But switching to ALPs doesn’t seem to make our bad habits go away. A full 10 percent of the passwords in Løge’s study took after an alphabetic letter, often one that corresponded to the initial of a spouse or child.


What can you do to make your phone less crackable? Simple. Stop drawing letters. Turn off the “make pattern visible” option in your Android settings. Use crossovers. Use more than four nodes — they’re giving you nine, people, nine. And please, for the love of God, don’t save your ALP in a folder named “ALP” on your computer.

[Ars Technica]

Contact the author at maddie.stone@gizmodo.com or follow her on Twitter.