New research uncovers that Android lock patterns are easily predictable
It is indeed surprising to know that most of the Android lock patterns are predictable because people generally use the most common combinations.
Google introduced the Android Lock Patterns (ALPs) or password alternative in 2008, when it introduced its Android Operating system.
In Android’s lock-screen pattern system, users just need to draw some lines in between the nodes instead of typing any password or PIN. Hence, it is much easier to remember and use them in comparison to the passwords.
This study was a part of her master’s thesis and she discovered that there were some bad practices which were commonly being used while applying these patterns.
Basically, ALPs would involve a minimum of four nodes and a maximum of nine rounding up to a total of 389,112 possible patterns.
Here’s the breakdown:
LENGTH | NUMBER OF COMBINATIONS |
---|---|
4 | 1,624 |
5 | 7,152 |
6 | 26,016 |
7 | 72,912 |
8 | 140,704 |
9 | 140,704 |
Most common patterns just used four nodes and this reduces the possibility of common combinations to just 1,624 making it easy to be guessed.
The most commonly used patterns comprised of moving from left to right and top to bottom, further making it easy to guess the pattern.
Her study also indicated that males and females have a tendency to create patterns in some distinct and predictable ways. She observed that both the sexes preferred using a nine-nodes pattern most of the times and very rarely used the eight nodes pattern though both these provided almost the same number of possible options of patterns.
Her findings also revealed that irrespective of their gender, the starting places used by left handed were similar to their right handed counterparts.
Løge says that it is not only the number of nodes used in the ALPs, but also the specific sequence of the nodes used in the pattern which helps to guess the sequence of the pattern. She explained this by giving an example, “Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction.”
She also discovered that in comparison, males use more complex patterns such as 2,3,1 sequence and females hardly prefer to use the crossovers.
In case of password breaches, it was found that most common password cracked were “1234567” and “letmein”.
Løge, says that similar to the passwords, ALPs too have similar weakness, she found that almost 10 percent of the patterns took the shape of the alphabetic letter that corresponded to the first initial of user’s name or their spouse or child or any other person who is pretty close to the user. This indicated that there is one-in-ten chance that attacker can predict the ALP. Suppose, attacker knows the names of the victim or their people it becomes all the more easier guess.
“It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password,” Løge said. “You see the same type of behavior.”
Løge says that by collecting a huge number of ALPs it is possible to build “Markov model” which can help attackers to predict the ALPs.
Ways to make the ALPs better and attack proof:
Løge told Ars Technica, that there are ways to make these pattern passwords better and also provided some tips to help users.Løge says that it is essential to use a whole bunch of nodes and always aim to make a pattern crossover itself a bunch which is difficult to make out from a distance.
She also advises that users need to switch off the “show pattern” by going in the security settings of their phone’s device.
One more important tip is to stop starting the pattern from top left node.
Source: Techworm
No comments:
Post a Comment