Which Is More Secure, A Password Or a Pattern Lock?

Ads by Google

pattern or pin vs passwordOur smartphones carry a lot of personal information. All of your text messages, emails, notes, apps, app data, music, pictures, and so much more are all on there. While it’s a very great convenience to have all of these on your phone, it’s also a major security risk if all of this data is easily accessible. The best way to prevent simple unauthorized access is by setting some sort of lock on your phone.

Two popular choices, especially on Android phones, are passwords and pattern locks. However, which one is the most secure to use? In order to answer that, we’ll have to use our brains and some math.

Passwords

pattern or pin vs password

Passwords are a bit harder to use than pattern locks because you actually have to type out your password. They are, however, still plenty easier than some desktop authentication methods available, such as multifactor authentication. But just how safe are they? In order to figure out how safe a method is, you’ll have to look at the number of possibilities.

No method is completely safe if an unauthorized user knows your password or pattern, but if they don’t know, they’ll have to keep guessing. If there are more possibilities, the person will have to make more guesses, which makes it safer and more secure.

For our experiment, we’ll compare 5-character passwords with 5-point patterns. Passwords can contain any character on your keyboard, including a-z, A-Z, 0-9, and all special characters, such as !, @, #, $, and so on. In total, that’s about 90 different possibilities with a US English keyboard. Each character can use all possible entries, so each character can be any of those 90 possibilities. In mathematical permutations, we have to multiply them together.

Ads by Google

So for a 90 character password, 90*90*90*90*90=5,904,900,000. That’s almost 6 million different passwords you can make if it’s only 5 characters long! No one will manually try to type in 6 million different passwords in order to guess the right one. Of course, for each additional character in your password, you multiple that number by 90. So upgrading to just a 6 character password gives you 531,441,000,000 possibilities. That’s a lot.

Patterns

pattern or pin vs password

Pattern locks, however, are quite different. Although they look quite confusing and complex, they’re actually not. In order to explain why not, we’ll need to look at the maximum number of permutations. When you first start with your pattern, you have nine points to choose from. This will be our first factor. Let’s take the choice which gives us the most amount of options: the middle point. From here, you can pick any of the eight others as your second point. This will be our second factor. Whatever point you picked will give you the number of available neighboring points. A corner point leaves only two options, while a side point gives you four — the two corners and the adjacent side points.

But lets ignore the fact that you may (or may not) have to pick a neighboring point. If you can go to whichever point you’d like next, you’ll only have seven available options left as you can’t pick a point twice — the reason why each factor’s value is declining. This is our third factor.

The fourth and fifth factors would, ideally, be six and five. Therefore, under ideal conditions, the maximum amount of permutations you can get with a 5-point pattern is 9*8*7*6*5=15,120. Even if you went ahead and used a 6-point pattern, you’d only get a total of 60,480 permutations. Compared to what passwords offer, that’s absolutely nothing.

Admittedly, no one with a reasonable mind will want to manually try out 15,120 different possibilities, but the ratio of permutations of a 5-character password compared to a 5-point pattern is almost 390,536:1. Insane.

The Verdict

Clearly, the obvious choice for staying secure is to use a password instead of the pattern lock.

While the pattern lock may be fun to use, there’s plenty of data on your phone which you don’t want others to have. Now that I’ve done the math myself, I’ll be sure to use a password from now on, as it’s a whopping 390,536 times more secure when comparing 5-character passwords to 5-point patterns, and that number increases when you compare 6 vs. 6, 7 vs. 7, and so on. Additionally, using the pattern lock places some pretty unique smears onto your phone, which other people can look at to narrow down the possible choices for your pattern. Password users are less susceptible to this because it gets blurred with other typing activities such as texting.

Don’t feel too safe however by using the password method. You’ll still want to use a good password in order to stay safe, and only then can you truly use the mathematical advantage over pattern locks. Check out these articles for creating good passwords you can still remember, creating a seriously hard password to break, testing your password for strength, and managing your passwords on your Android device.

Which locking mechanism do you use on your Android device? Does your password’s strength stack up? Let us know in the comments but please don’t share your passwords.

Image Credit: Internet background with binary code via Shutterstock

Ads by Google

45 Comments - Write a Comment

Reply

Peter

5,904,900,000 is nearly 6 BILLION, not million.

The math may be true but you also have to consider if the user has actually created a complex password. Selecting “aaaaa” or “12345” as your 5 character password is going to be guessed pretty quickly. Similarly, using a pattern that is a swipe stright down the middle 3 spots is also going to get cracked pretty quickly.
Just because people “can” create difficult to guess passwords, in no way suggests they will, and let’s be honest, entering “8V:r&” as a password to unlock your phone is kind of a PITA.

Pablo

a billion is correctly 1 million millions, therefore 1,000,000,000,000 not 10,000,000,000

John

No, it depends on whether AmE or BrE. The whole world is generally treating 10^9 as billion these days though.

Danny Stieben

The only billion I’ve ever learned is a thousand million, not a million million. That would be a trillion. I know Germans treat a million million as billion, but this site is in English. :)

Oleksiy Portechyn

Here in Europe most countries call “Billion” a number with 12 zeros (1 000 000 000 000 – one million million) . Don’t know about the rest of the world but USA and Brazil calls “Billion” a number with 9 zeros (1 000 000 000 – one thousand million).
That is because of the difference of long and short scales used.

juanDM4

another wierd system that USA uses…

John

PS your other figure was 10bn not 1bn

Stephen Graves

Not in the US. I was suprised to find that million and billion (and possibly others) are not the same numbers globally. In the US, 1 billion is 1 thousand million, not 1 million millions.

Mark

i am surprised too. i didn’t know there was another value for billion.

the billion that i know is: 1 thousand million.

Danny Stieben

Sorry if I had said million. Typo!

Of course it still depends on whether the person picks out a good password/pattern, but when comparing just the methods themselves, you have to look at it purely objectively, which means math.

Reply

Desdemona

The comparison between the two types of security measures was informative.

Unfortunately, like most presentations on such matters, it was somewhat deceptive. For example, if there are only 10 possible combinations, the odds that someone will go through 9 failing attempts only to hit on the last are equal to the odds of hitting the combination the first. In every presentation I’ve seen on this subject it is written or spoken about as though success is achieved only on the last attempt. Or the impression is given that a password is secure because the number of combinations is so large that no one will likely be successful and may not even try.

While it may take “Giganto Supercomputer” 10 months to run through all the possible combinations of my password, in reality, there is a 50% chance it will hit it in 5 months and a 10% chance it will do it in a month. That’s why the longer password is better. Add in a little social engineering and the fact that people usually at least pick understandable words they can easily remember and the number of possiblities and time to crack drop precipitously from the maximum possible time.

Danny Stieben

Like I mentioned above, of course there are still subjective factors which can influence how safe a password is, but this is a comparison of methods, not passwords under certain methods.

Reply

Quagma

With a pattern, just hold the phone in the right light so you can see the oil from their fingerprints. I’ve unlocked a few co-workers phones that way (with them watching, to demonstrate, not for nefarious purposes).

Danny Stieben

Thanks again for touching on that. I believe I mentioned that towards the end of the article.

Reply

Mantish

Although a very informative article. I thing reaching the conclusion that passwords are safer isn’t correct. It depends on the pattern or password you choose.
Passwords are safer against brute force attacks….but against other type of attacks I guess it depends on a lot of things

Reply

xbalesx

I always love insight on better tech security. Your latest on 2 factor authentication opened my eyes and I have implemented 2FA on a few sites.

Reply

Benjamin Glass

I’d still use a pattern lock.

Reply

James Reyes

Also with pattern locks is the issue of oily or grubby fingers leaving visible traces on the screen that someone else could decipher.

Kao Vang

Password acquired.

Reply

April Eum

i don’t lock mine is my verdict. i don’t store anything personal on my phone, all my pics go up on instagram, i delete texts after reading them, even log out of my emails and apps because i learned the hard way. a stolen phone is a stolen phone, lock it or not, someone is bound to decipher it if they had the work ethic to do so XD

Reply

Rob Dog

Against a brute force attack like Mantish said, a password will work better. I use the pattern and will always use the pattern, why? Because you can turn off the display of the green line of your swipe, so if someone looks at your phone whilst doing it, if you do it quick enough people won’t be able to see it. I’ve had many friends try to break in to my phone because they thought they saw my pattern swipe. Turns out they were all wrong. lol. Where as a typed password will always show which buttons you’ve pressed as you do it making it easier to see.

I also see the password as an everyday protection. So i can leave my phone at my desk at work (or similar) with the knowledge that my co-workers won’t be able to take a cheeky look. If someone wants to break in to your phone and has the know how, they’ll do it regardless of what you put in their way.

Peter

” I’ve had many friends try to break in to my phone because they thought they saw my pattern swipe.” – You need better friends.

Reply

Misho

I often see people unlock their phones using the pattern. I am not interested in their combination, but it is so obvious that it is funny. I should close my eyes in order not to remember the exact move a person made with it’s finger. :)

Reply

Darren Reynolds

ive got a new HP Probook with the fingerprint scanner.. Its so easy and convenient and so far appears to do exactly what its meant to do.. This has to be the way forward…

Reply

Kieran Colfer

So what happens with IOS 5.1 and the camera button on the lockscreen? I’m still on 5.0.1 on my iphone, but I’ve seen some reports that if you use the swipe-up camera button on the 5.1 lock screen to open the camera, and then hit the home key it bypasses the passcode and brings you straight to the home screen.

Reply

Chuck Long

I personally use a password and it has way more than 5 characters in it. The pattern is faster and I see some say that the password is displayed when you type it in. For one if somebody “claims” to be your friend and is looking at your phone when you log up so they can see your password then get rid of them. Second is you need to be more aware of who is around you for self protection. I don’t store any vital info in my phone for banking, credit cards and the such. I don’t have that much trust for anybody.

Reply

Ruben Marrero

I personally use passwords, the more charachters the better :) and change it very often… there are times that I switch to pattern if I know I will be in the need to get into my phone faster…

Reply

RandyN

I use pattern lock and don’t feel any less safe. My pattern lock has 11 points in it and is very quick for me to input. The pattern goes back over previous points so even if someone sees the oil from my fingers they’d have to know which points to swipe back over, when, etc. (i.e., not something you can tell by looking at the oil patterns).

Reply

GrrGrrr

interesting article. I would go for passwords if given a choice.

Reply

venkatp16

i always use pattern lock and find it very easy , but your analysis made me think…

Reply

Yang Yang Li

The safest option with 0 permutations is to not have a phone.

Reply

Jason Williams

great article. makes me rethink me companys idea of using the pattern lock for mandatory security on corporate phones.

Reply

rama moorthy

Retina Scan is best Authentication system ever .. but cannot be used in Phones ..
Passwords are safe ..!

Reply

Ahmed Khalil

So, password is more secure than Pattern, but people use Pattern more than password, nice!!

Reply

carl

i only use 4 dots from the Pattern why?…because it would still take ages to crack and they would have to remember or write down which Pattern they used.

once inside my phone they would have all my passwords! all on keepass with a long master password and a key file that looks like part of the samsung os :P

if they get that far there welcome to all my bank accounts and ID lets face it they earned it :P

Reply

Usman Mubashir

I think the pattern method will improve in coming years and will provide better protection than passwords.

Reply

Bob

A 9 point pattern lock has 389,112 possible combinations. Patterns must be between 4 and 9 points in length and cannot duplicate points. Your effective starting points are 1, 2, and 5 and you can simply multiply the combinations of starting points 1 and 2 by four and then multiply the 5->1 and 5->2 starting combinations by four each to reach the total. Points also do not have to be adjacent since a knight move (jumping over an already used point to an unused point on the far side) also works. Here are a couple of more detailed explanations:

http://beust.com/weblog2/archives/000497.html
http://www.quora.com/How-many-combinations-does-Android-9-point-unlock-have

Reply

Joel Alar

Password is still secured than pattern, pattern leave traces on screen if you don’t clean it frequently.

Reply

Ellen Odza

Patterns seem awfully obvious – it’s easy to watch someone swiping their pattern. I use numeric passwords but I do NOT use obvious things like birthdays and things. For alphabetic passwords, I use a jumble of letters that has meaning to me but not to anyone else. One thing I use is the abbreviations of several academic journal titles strung together. I’ll remember them because I made up the abbreviations in the first place, but to anyone else they are just gibberish.

Reply

Dimal Chandrasiri

I agree on using a password rather than a pattern. since I tried with the pattern, all of my friends got to know the pattern within few hours. It’s very annoying when you think the others don’t know the pattern, but, when we give the mobile, they unlock it with one swipe. And the other thing is, the pattern can be stuck on the screen because of the finger grease since I have a sweaty fingers. therefore I prefer using password. it’s more safer.

Reply

Totoy Badiola

Pattern locks are easier. It would be more secure if unsuccessful attempts are limited to say 5 and the tablet/phone locks and and when it locks, it can be only opened with a password. The screen should also be designed to leave marks from greasy fingers.

Reply

Alex Perkins

It’s all fine and good having a password or patten lock, but with touch screens if using your finger you leave a smudge. Just look at the smudge and get in.

Reply

baa

I wouldnt recommend pattern unlock due to when your phone is locked and the screen is black you can look at your phone under any light and always see a wee pattern smudged into your screen/ protector. So it wouldnt take some one long to crack it

Reply

Jeff

@baa, I’ve been experimenting with patterns since I felt that way about the pin code. Most of our phones have a 4-digit pin, so it isn’t too hard to guess if someone has a dirty screen. I wonder how it affects the difficulty of the pattern in that you have to know where to start.

Given my experience with users and their epic passwords, I think the pattern might actually be practically more secure. It won’t be the same as another password, and it won’t be an unreasonable password. Now the challenge is to find a way to make ‘complex’ patterns. Might be nice if admins could enforce ‘no adjacent points’ or other methods of complicating the pattern.

Reply

John Williams

I made a nine button lock many years ago. All who tried it used it as a sequential phone keypad. Actually you had to press 4 buttons simultaneously – they were simply wired in series. The other five buttons were wired in parallel and touching any one “wrong” key set off a sixty second delay. The pattern was in how you held your hand to press all the correct keys at once. Increasing it to a 5×5 grid of 25 physical keys was too expensive at the time …. anyone want to write an app?

By the way all the pattern swipers I’ve seen always seem to use letter or number shapes. What if you had to swipe out a 5 digit Pin number? What if the pattern reader learned your swipe speed or that little pecadillo of yours to scratch your nose before swiping the last digit? Think like – the mark of Zorro!

Seriously though, ditch the idea of “password” you need a “passphrase” or better still, a pass poem. Learn a song or poem, use the first letters of the words or each line. Use an old, old number from your past – or a song with numbers in it. Finally pick 2 or 3 symbols like + and >, but not too many. The joy of lyrics is you can easily make 10, 12 or 14 point passcodes.

Your comment