People Suck at Coming Up With Good Android Lock Patterns

Illustration for article titled People Suck at Coming Up With Good Android Lock Patterns

We’re pretty terrible at coming up with good passwords, but if you thought we were better when it comes to Android lock patterns, you’d be wrong. New research shows that the tic-tac-toe style patterns people devise to unlock their phones often follow dismally predictable rules.


ALPs can contain a minimum of four nodes and a maximum of nine, for a total of nearly 400,000 possible combinations. That’s a lot of potential passwords! But when Martle Løge of the Norwegian University of Science and Technology analyzed over 4,000 ALPs for her master’s thesis, what she found was a pretty sorry state of affairs. A full 44 percent of ALPs started in the top left-most node of the screen, while 77 percent started in one of the four corners. Very often, patterns moved from left to right and top to bottom. And a large percentage of the patterns had only four nodes, dramatically shrinking the pool of available combinations.

People tended to stay away from patterns that involved changes in direction, which tend to be less susceptible to guessing attacks. The two patterns on the right of the image below, for instance, produce a higher “complexity score” than the patterns on the left:

Illustration for article titled People Suck at Coming Up With Good Android Lock Patterns

Time and again, data breaches show us that people love to use ridiculously bad passwords, a la “1234567” and “letmein.” But switching to ALPs doesn’t seem to make our bad habits go away. A full 10 percent of the passwords in Løge’s study took after an alphabetic letter, often one that corresponded to the initial of a spouse or child.

What can you do to make your phone less crackable? Simple. Stop drawing letters. Turn off the “make pattern visible” option in your Android settings. Use crossovers. Use more than four nodes — they’re giving you nine, people, nine. And please, for the love of God, don’t save your ALP in a folder named “ALP” on your computer.

[Ars Technica]

Contact the author at or follow her on Twitter.




I don’t have any clue what my husband’s code is and I feel like a moron whenever he hands me the phone and I have to hand it back like, dude.

I like to live dangerously and not lock my phone at all. If somebody were to steal my phone, the only information they’d get is my embarrassing search history and other people’s phone numbers. They wanna view my FB? Okay, enjoy all the baby and vegetable harvest photos.

I know a lot of people have important information on their phone, I’m just not one of them. Actually, my friend has her home security system hooked up to her phone and I’m pretty sure I could unlock her doors and turn on all the electronics in the house with it. Sounds pretty dumb to me.