Is Bigger Better? Comparing User Generated Passwords on
3×3 vs. 4×4 Grid Sizes for Android’s Pattern Unlock
Adam Aviv, USNA
1:00-2:00pm Tuesday, 1 December 2015, ITE 459
Android’s graphical authentication mechanism requires users to unlock their devices by “drawing” a pattern that connects a sequence of contact points arranged in a 3×3 grid. Prior studies have shown that human-generated patterns are far less complex than one would desire; large portions can be trivially guessed with sufficient training. Custom modifications to Android, such as CyanogenMod, offer ways to increase the grid size beyond 3×3, and in this paper we ask the question: Does increasing the grid size increase the security of human-generated patterns?
To answer this question, we conducted two large studies, one in-lab and one online, collecting 934 total 3×3 patterns and 504 4×4 patterns. Analysis shows that for both 3×3 and 4×4 patterns, there is a high incidence of repeated patterns and symmetric pairs (patterns that derive from others based on a sequence of flips and rotations). Further, many of the 4×4 patterns are similar versions of 3×3 patterns distributed over the larger grid space. Leveraging this information, we developed the most advanced guessing algorithm in this space, and we find that guessing the first 20% (0.2) of patterns for both 3×3 and 4×4 can be done as efficiently as guessing a random 2-digit PIN. Guessing larger portions of 4×4 patterns (0.5), however, requires 2-bits more entropy than guessing the same ratio of 3×3 patterns, but the entropy is still on the order of cracking random 3-digit PINs. These results suggest that while there may be some benefit to expanding the grid size to 4×4, the majority of patterns will remain trivially guessable and insecure against broad guessing attacks.
Adam J. Aviv is an Assistant Professor of Computer Science at the United States Naval Academy, receiving his Ph.D. from the University of Pennsylvania under the advisement of Jonathan Smith and Matt Blaze. He has varied research interests including in system and network security, applied cryptography, smartphone security, and more recently in the area of usable security with a focus on mobile devices.