14

What's the entropy of smartphone "pattern passwords"? Through how many nodes do I have to go until I'm safe (say, a reasonable 42 bits of strength)?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Quora Feans
  • 1,861
  • 1
  • 12
  • 20

1 Answers1

13

You cannot reach 42 bits of entropy with a regular android unlock pattern. The 3x3 grid is limited to 389,112 distinct patterns, giving you an entropy of 18.57 bits. This is less than you might assume since a dot cannot be selected twice and you cannot skip intermediate dots on a straight line.

Additionally, research has shown that many actual patterns are predictable and in fact much less complex than they could be. For instance, a majority of users begin their pattern in one of the four corners.

Besides the low entropy there are other security problems with unlock patterns such as the smudge attack. If a pattern alone can be a suitable security measure has also been discussed here.

BTW, some mods (e.g. Cyanogen mod) support bigger grid sizes but I personally find a truly random pattern harder to remember than an equivalent PIN code.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 2
    18 bits eh? In other words, the longest possible unlock pattern is roughly equivalent to a 5 character password. Interesting... – Mike Ounsworth Nov 06 '16 at 18:02
  • 1
    Better than a 4 character pin – Robert Fraser Nov 06 '16 at 19:43
  • 2
    It's even worse... there is research that suggests that the pattern is actually visible sometimes because of the oily residue our fingers leave on the screen surface. Even if it is partly unrecoverable due to smudges caused by later input, part of it may be recovered sometimes. – Out of Band Nov 06 '16 at 20:24
  • For a 4x4 grid, Aviv et al (doi:10.1145/2818000.2818014) calculate 4*10^13 theoretically possible combinations, while they find the majority of real-world patterns on a 4x4 grid to be of similar strength as a 3 digit pin. – TheEspinosa Sep 25 '17 at 08:59