Never Use Pattern Lock

Pattern Locks

Pattern as a security is one of the authentication methods used by mobile devices today. Pictorial representation of users PIN or numerical password is supposed to be a user friendly alternative to traditional keypad. With just a swipe user can enter the device without even lifting a finger. Just like swipe to unlock but with a added flavor of security.

How secure are patterns ?

Just by the virtue of having a lot of possible combinations, the pattern lock can be considered secure but how secure is it ? Most devices enforce that the pattern should have at least four nodes in them. But there are some limits to what users could draw as a pattern and that again is designed to make sure that patterns are not ambiguous and are easy to use. For a three by three grid pattern the rules are that a node can be used only once and if the line connecting two nodes is passing through another node then that node can’t be excluded from the pattern. These rules limit the possible valid combinations that are eligible to be a password. For example for a four digit PIN number that could include numbers 0-9 can have ten thousands possible combinations. On the other hand a three by three grid pattern with only four nodes in it can have only 1624 possible outcomes, which makes it weaker. Most devices add a thirty second cooldown for every four failed attempts and assuming there is no limit on cooldowns and a rate of four attempts per minute, including countdown, will take approximately seven hours to crack it.

Designed with ease of use in mind, pattern locks are easy to remember for the user and a potential sneaker as well. A glimpse of someone entering their pattern could be easy to remember and replicate after only a few attempts, at least that is my claim.

Shoulder Surfers

Additional information obtained from a mere glance can reduce the possible outcomes as well. A careful eye, from any angle, can easily make assumptions about the starting node of the patter, number of strokes that the user drew and maximum possible nodes in the pattern, again this is my assumption and claim.

Guess Yourself !

Keeping that in mind let’s see if it really is that easy to break a random pattern. Let’s assume you have made an assumption about,

• starting node
• number of strokes,
• minimum nodes,
• and maximum nodes

Another thing is the direction of strokes that you must be able to guess, like whether the first stroke was moving from right to left or top to bottom.

Then putting all that values in the drop downs below and clicking generate will create a pattern with those constraints. Try to guess the pattern which is made using patternlockjs library. When you give up, reveal the actual pattern, which is represented as a sequence for numbers representing nodes in a pattern path.

Parameters

Generate   Show Pattern

Select Params & Click Gsenerate to get random pattern

Conclusion

My take is that one should never use them but it’s up to you to decide whether pattern locks are secure or not. If it is really hard for you to guess a valid pattern given the constraint then I suggest usings those constraints while coming up with your next lock pattern.