Let’s start with some things we knew already: people are really bad at creating and remembering secure passwords and PINs.
We’re also bad at choosing and answering password recovery questions. Most of us can’t even cook up an unlock pattern for our Androids that’s not crazy easy to predict, be it by shoulder-surfing or the tell-tale streaks we leave with our greasy fingers.
Now, a new report (PDF) from security researchers at the US Naval Academy and the University of Maryland Baltimore County has quantified just how absurdly easy it is to do an over-the-shoulder glance that accurately susses out an Android unlock pattern.
As we explained a few years ago, a lockscreen pattern allows you to lock/unlock your device by swiping your finger on the screen, drawing a pattern that touches at least four and up to nine nodes. Just as with character counts in a passcode, the more nodes you touch in your pattern, the more secure your lock should be.
Unfortunately, while there are 389,112 possible patterns you could draw using four to nine nodes, when researcher Marte Løge analyzed 3400 user-selected patterns, she found that the most commonly selected patterns used just four.
That’s bad enough, but to make it even worse, most people do swipes in predictable patterns: they go from left to right, top to bottom, typically starting in a corner, often create patterns in the shape of a letter, and rarely backtrack over the space their fingers have already traversed.
That’s what we already knew.
What the Naval Academy/U of Baltimore security researchers did this time around was to form a baseline of exactly how easy it is for a snoop to reproduce our unlock patterns, and how much easier it is to glean a pattern vs a PIN.
In a nutshell: it is far easier for an attacker to shoulder surf a pattern than a PIN.
The large-scale study involved showing participants videos of phone users inputting PINs and unlock patterns, and then asking them to act as attackers by replicating what they’d seen.
No surprise here: They found that the longer (6-node) PINs are fairly tough to shoulder surf at first blush. Only about 10% of the “attackers” who took a single look at the video of a 6-character PIN got it right. That went up to about one in four with multiple viewings of the same video.
Compared to that, Android patterns that used 6 nodes were a breeze for the attackers. Their attack success rate was 64% with a single viewing of the video—a success rate that shot up to 80% with multiple views.
Naval Academy Professor Adam Aviv told Wired that it’s easier for humans to detect patterns than PINs because our brains are wired that way:
Patterns are really nice in memorability, but it’s the same as asking people to recall a glyph. Patterns are definitely less secure than PINs.
The researchers accounted for multiple conditions that could affect a shoulder surfing attack, including two common touchscreen sizes; they incorporated 5 different observation angles to simulate various observer vantage points; they considered different hand positions, such as single-handed thumb input vs two-handed index finger input; and they compared varying length PINs and swipe patterns, both with and without the feedback lines.
The researchers noted that disabling Android’s “feedback lines”—those lines that visually trace the pattern in the wake of a swiping finger—cut that attack success rate down to 35% for single viewings and 52% with multiple views. That’s still pretty high, but at least it’s a bit of a bone to throw to those who really, really like their pattern unlocking.
After all, patterns are better than no protection at all. As it is, exhausted users are increasingly just rolling over and playing dead, numbed by alarm fatigue at all the security protocols/security warnings/data getting crowbarred out of companies that can’t seem to figure out how to keep their data safe.
The best approach to securing a phone is to use the longest PIN your it will allow and the shortest lock out time you can stand.
Aviv, along with his fellow researchers, will present the paper at the Annual Computer Security Applications Conference in Puerto Rico in December.