In Tell Me Who You Are, and I Will Tell You Your Lock Pattern, Marte Løge presented some of her Master's Thesis research on the guessability of Android lock-patterns — and guess what?
They're pretty guessable.
77% of patterns start in one of the corners; 44% start in the top left corner; they average five nodes (many have four!); they generally move left-right/top-bottom. Young men pick the strongest patterns; left-handers have the same start-points as righties. Oh, and a lot of people just swipe a Roman alphabet letter.
One of the study's biggest surprises was the minimal use of eight-node patterns, by both males and females. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.
Løge had several suggestions for ways to make ALPs more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.
New data uncovers the surprising predictability of Android lock patterns [Dan Goodin/Ars Technica]
Tell Me Who You Are, and I Will Tell You Your Lock Pattern [Marte Løge/Security B-Sides]