It is common wisdom that passwords are a very ineffective method for authentication. They can be brute-forced or guessed in a dictionary attack. So why use a password to lock your phone? Because the lock pattern and the common four-digit PIN are way weaker. So, what is the most reliable way to lock a phone? Here’s a rundown of the methods and why you better stick with passwords.
Lock patterns are easier to guess than you think
The lock pattern is used by about 40% of Android users for authentication. In it, you have to pick a pattern connecting dots on the screen in a particular shape and order. The default grid on Android phones has nine dots (although bigger ones are available too). If you connect at least four dots and don’t repeat any of them in your pattern, the maximum number of combinations you can use is 389,112. This isn’t a particularly high number for a computer to brute-force.
And an attacker doesn’t even have to resort to that. Breaking patterns by using video and computer vision algorithm software is surprisingly efficient, as shown in a recent study by Lancaster University, Northwest University in China, and the University of Bath. Without even capturing what happens on the device’s screen – and just recording your fingers swiping on it from a distance – the researchers managed to crack 95% of 120 patterns within five attempts.
The attack simulated in the study proved to be accurate from eight feet away, and reliable from thirty feet away. Which means that the attacker doesn’t have to shove their face in your screen – they can film you discretely from the opposite end of a bar or coffee place. Using a more complex pattern doesn’t help you too – in the study, 87.5% of the more difficult patterns were cracked with the first attempt, compared to just 60% of the simpler ones.
PIN offers too few combinations and is easy to guess
To sum it up: the lock pattern is a joke in terms of security. This is why we disabled it when developing Secure Phone. The two available options are PIN and password, of which we recommend the latter. PINs are short and allow for too few combinations – 10,000 for a four-digit one. And people are rarely very creative when coming up with pins. The most common thing used are dates. And they are easy to guess: for example, if you use the DDMM format, the first number can be just 0, 1, 2, or 3, which significantly narrows down the possibilities.
I remember one time I unlocked my wife’s PIN-protected phone because I made an informed guess that the combination was our daughter’s birthday. At the time, I found it funny how easy it was. But now that I think about it: with all the things she and I have shared on social media, our two birthdates, as well as those of our two kids, are pretty much public knowledge. Imagine someone took possession of one our phones and then tried to unlock them, using the available information. It isn’t even that many options to choose from. They’d have access in no time.
Passwords: imperfect but still the superior option
This leaves us with passwords. And yes, no matter how sophisticated your password generation method is, there is a tailored attack that could break it. But passwords give you much more space to create entropy (lack of order or predictability). For one, you have the full alphabet, all the numbers and various symbols at your disposal. And then, unlike with PINs, you have the freedom to pick your password length.
When setting up a Secure Phone, choosing a lock screen method is one of the first things you do. As with all passwords, it is recommended that you use an alphanumerical one that is over nine characters. There is also a way to set up a limited number of allowed failed attempts at filling the password, after which your phone would get wiped – this is done through the Secure Administration System (SAS). This way you can be sure that unless someone knows your password, there is no way for them to break into your device.