Despite efforts to force users to make complex passwords, through length and character requirements, people still tend to find the simplest sequence to secure their digital lives. That's also the case with ALPs (Android Lock Patterns): people increase their exposure to intrusions by opting to set simple ALPs.
ALPs are an alternative to pin codes and fingerprint scanners. Instead of having to remember a sequence of numbers, users need only draw the pattern they established to secure their mobile devices.
The idea is simple. There are nine pegs on the lock screen and users must connect at least four of them, drawing a pattern in the process. That pattern is the pin.
There are hundreds of thousands of patterns users could draw. Marte Løge, technology analyst for Itera ASA, sees a problem with ALP, specifically the way people use them. Most people rely on simple four to five peg patters.
"You are predictable, your passwords are predictable, and so are your PINs," Løge states. "This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create?"
Løge, who graduated from the Norwegian University of Science and Technology this year, just put on a presentation at PasswordCon in Las Vegas last Aug. 4. There was tons of research to make her case, but her point was simple.
"Full Disk Encryption won't save you if your lock pattern is L - as in loser," states Løge.
For her master's thesis, Løge analysed close to 4,000 ALPs. About 77 percent of ALP patterns start in one of the corners and about 44 percent of them begin in the top-left corner, she found.
The most common length of ALPs was five, with four being nearly as popular. There are over 7,100 combinations when five pegs are used and only 1,624 when four are used. By comparison, there are over 140,000 combinations for eight-peg patterns.
"Humans are predictable," Løge said to Ars Technica. "We're seeing the same aspects used when creating pattern locks [as are used in] pin codes and alphanumeric passwords."