Our smartphones carry a lot of personal information. All of your text messages, emails, notes, apps, app data, music, pictures, and so much more are all on there. While it’s a very great convenience to have all of these on your phone, it’s also a major security risk if all of this data is easily accessible. The best way to prevent simple unauthorized access is by setting some sort of lock on your phone.

Two popular choices, especially on Android phones, are passwords and pattern locks. However, which one is the most secure to use? In order to answer that, we’ll have to use our brains and some math.

Passwords are a bit harder to use than pattern locks because you actually have to type out your password. They are, however, still plenty easier than some desktop authentication methods available, such as multifactor authentication. But just how safe are they? In order to figure out how safe a method is, you’ll have to look at the number of possibilities.

No method is completely safe if an unauthorized user knows your password or pattern, but if they don’t know, they’ll have to keep guessing. If there are more possibilities, the person will have to make more guesses, which makes it safer and more secure.

For our experiment, we’ll compare 5-character passwords with 5-point patterns. Passwords can contain any character on your keyboard, including a-z, A-Z, 0-9, and all special characters, such as !, @, #, \$, and so on. In total, that’s about 90 different possibilities with a US English keyboard. Each character can use all possible entries, so each character can be any of those 90 possibilities. In mathematical permutations, we have to multiply them together.

So for a 90 character password, 90*90*90*90*90=5,904,900,000. That’s almost 6 million different passwords you can make if it’s only 5 characters long! No one will manually try to type in 6 million different passwords in order to guess the right one. Of course, for each additional character in your password, you multiple that number by 90. So upgrading to just a 6 character password gives you 531,441,000,000 possibilities. That’s a lot.

## Patterns

Pattern locks, however, are quite different. Although they look quite confusing and complex, they’re actually not. In order to explain why not, we’ll need to look at the maximum number of permutations. When you first start with your pattern, you have nine points to choose from. This will be our first factor. Let’s take the choice which gives us the most amount of options: the middle point. From here, you can pick any of the eight others as your second point. This will be our second factor. Whatever point you picked will give you the number of available neighboring points. A corner point leaves only two options, while a side point gives you four — the two corners and the adjacent side points.

But lets ignore the fact that you may (or may not) have to pick a neighboring point. If you can go to whichever point you’d like next, you’ll only have seven available options left as you can’t pick a point twice — the reason why each factor’s value is declining. This is our third factor.

The fourth and fifth factors would, ideally, be six and five. Therefore, under ideal conditions, the maximum amount of permutations you can get with a 5-point pattern is 9*8*7*6*5=15,120. Even if you went ahead and used a 6-point pattern, you’d only get a total of 60,480 permutations. Compared to what passwords offer, that’s absolutely nothing.

Admittedly, no one with a reasonable mind will want to manually try out 15,120 different possibilities, but the ratio of permutations of a 5-character password compared to a 5-point pattern is almost 390,536:1. Insane.

## The Verdict

Clearly, the obvious choice for staying secure is to use a password instead of the pattern lock.

While the pattern lock may be fun to use, there’s plenty of data on your phone which you don’t want others to have. Now that I’ve done the math myself, I’ll be sure to use a password from now on, as it’s a whopping 390,536 times more secure when comparing 5-character passwords to 5-point patterns, and that number increases when you compare 6 vs. 6, 7 vs. 7, and so on. Additionally, using the pattern lock places some pretty unique smears onto your phone, which other people can look at to narrow down the possible choices for your pattern. Password users are less susceptible to this because it gets blurred with other typing activities such as texting.

Image Credit: Internet background with binary code via Shutterstock

1. Jagrit
November 14, 2015 at 11:49 am

I suggest to use a pattern.......as u guys told Passwords has more permutations but.....if a user perfectly remembers his pattern...and can make it fast.....there are more chances of not peeping.....a user can make a weird shape that is easy to remember....THAT'S ALL I WANT TO SAY.......THANK YOU :)

• NevG
March 11, 2016 at 2:48 pm

You can bypass Patten codes & pins by a software easy.. Best way to secure a phone is to have a secure App within the phone..

2. Gerry
November 12, 2015 at 11:33 am

Each time you unlock with a pattern simply scrub your finger up and down over the area, and any discernible pattern will disappear. It only takes a moment. 15000 possibilities should give pretty good security, because after not many wrong attempts the phone will lock you out.

3. doublespeak
April 3, 2015 at 10:13 pm

I think the easier the protection, the more secure. Why? Because pattern is fun, password is a pain. People will swipe willingly! With passwords, on the contrary, users will set a longer time before the phone is password protected, in order not to have to digit it all the time, and that makes the phone less secure. Or, users will even disable the password protection altogether, if they get fed up.

4. John Williams
February 19, 2015 at 11:43 pm

I made a nine button lock many years ago. All who tried it used it as a sequential phone keypad. Actually you had to press 4 buttons simultaneously - they were simply wired in series. The other five buttons were wired in parallel and touching any one "wrong" key set off a sixty second delay. The pattern was in how you held your hand to press all the correct keys at once. Increasing it to a 5x5 grid of 25 physical keys was too expensive at the time .... anyone want to write an app?

By the way all the pattern swipers I've seen always seem to use letter or number shapes. What if you had to swipe out a 5 digit Pin number? What if the pattern reader learned your swipe speed or that little pecadillo of yours to scratch your nose before swiping the last digit? Think like - the mark of Zorro!

Seriously though, ditch the idea of "password" you need a "passphrase" or better still, a pass poem. Learn a song or poem, use the first letters of the words or each line. Use an old, old number from your past - or a song with numbers in it. Finally pick 2 or 3 symbols like + and >, but not too many. The joy of lyrics is you can easily make 10, 12 or 14 point passcodes.

• Mr Bob
November 10, 2016 at 12:25 am

Sure, something easy to remember will be good to use on a device where you type in the passwo D and get 10 attempts before getting put in timeout, or device wipe.

It's still bad practice to use any password that is an actual word, found in a dictionary. And yes, L337 (leet) words count as real words. It's a simple hack to make a dictionary attack. If you used a pass phrase like "nowisthetimeforallgoodmentocometotheaidoftheircountry", being as long as it is you would think it's pretty secure. But it isn't. It's a simple password made of about 17 words (I'm guessing, I'm not bothering to count). A much stronger password uses entropy. Complete randomness. And can be much much shorter. I.e. 5;73?\$/4 which is only 8 character, but much stronger because of entropy.

I personally use a special technique that is unguessable to anyone other than someone who knows me extremely well. I take the last four digits of the first phone number I had when I was a kid let's just use 6977 for example. I then use special abbreviation for the website I'm logging into, taking the first character of each part of its name, in caps, let's say MS for Microsoft. I add an extra nonsense word to follow the web name, usually based on a title of a book I have read. "1984" I would create the word "atefour" I then append the phone number at the end. For sites that allow special characters, I place a "!" Between each of those sections. The result being like this...
6977!MS!atefour!6977
Which gives me a 20 character semi random number. At best it's not vulnerable to a dictionary attack. At worst someone could figure out my pattern by gleaning my password off several sites. But then, all my important passwords are pregenerated random ones. You can get some great entropy from Steve Gibson site, http://www.grc.com and look for perfect passwords.
While there look for security now podcast.

5. Jeff
February 9, 2015 at 4:25 pm

@baa, I've been experimenting with patterns since I felt that way about the pin code. Most of our phones have a 4-digit pin, so it isn't too hard to guess if someone has a dirty screen. I wonder how it affects the difficulty of the pattern in that you have to know where to start.

Given my experience with users and their epic passwords, I think the pattern might actually be practically more secure. It won't be the same as another password, and it won't be an unreasonable password. Now the challenge is to find a way to make 'complex' patterns. Might be nice if admins could enforce 'no adjacent points' or other methods of complicating the pattern.

6. baa
January 21, 2015 at 12:51 pm

I wouldnt recommend pattern unlock due to when your phone is locked and the screen is black you can look at your phone under any light and always see a wee pattern smudged into your screen/ protector. So it wouldnt take some one long to crack it

7. Alex Perkins
September 12, 2012 at 6:21 pm

It's all fine and good having a password or patten lock, but with touch screens if using your finger you leave a smudge. Just look at the smudge and get in.

September 10, 2012 at 7:51 pm

Pattern locks are easier. It would be more secure if unsuccessful attempts are limited to say 5 and the tablet/phone locks and and when it locks, it can be only opened with a password. The screen should also be designed to leave marks from greasy fingers.

9. Dimal Chandrasiri
September 6, 2012 at 12:33 pm

I agree on using a password rather than a pattern. since I tried with the pattern, all of my friends got to know the pattern within few hours. It's very annoying when you think the others don't know the pattern, but, when we give the mobile, they unlock it with one swipe. And the other thing is, the pattern can be stuck on the screen because of the finger grease since I have a sweaty fingers. therefore I prefer using password. it's more safer.

10. Ellen Odza
September 6, 2012 at 2:31 am

Patterns seem awfully obvious - it's easy to watch someone swiping their pattern. I use numeric passwords but I do NOT use obvious things like birthdays and things. For alphabetic passwords, I use a jumble of letters that has meaning to me but not to anyone else. One thing I use is the abbreviations of several academic journal titles strung together. I'll remember them because I made up the abbreviations in the first place, but to anyone else they are just gibberish.

11. Joel Alar
September 6, 2012 at 1:49 am

Password is still secured than pattern, pattern leave traces on screen if you don't clean it frequently.

12. Bob
September 5, 2012 at 7:55 pm

A 9 point pattern lock has 389,112 possible combinations. Patterns must be between 4 and 9 points in length and cannot duplicate points. Your effective starting points are 1, 2, and 5 and you can simply multiply the combinations of starting points 1 and 2 by four and then multiply the 5->1 and 5->2 starting combinations by four each to reach the total. Points also do not have to be adjacent since a knight move (jumping over an already used point to an unused point on the far side) also works. Here are a couple of more detailed explanations:

13. Usman Mubashir
September 4, 2012 at 6:41 pm

I think the pattern method will improve in coming years and will provide better protection than passwords.

14. carl
September 4, 2012 at 4:53 pm

i only use 4 dots from the Pattern why?...because it would still take ages to crack and they would have to remember or write down which Pattern they used.

once inside my phone they would have all my passwords! all on keepass with a long master password and a key file that looks like part of the samsung os :P

if they get that far there welcome to all my bank accounts and ID lets face it they earned it :P

15. Ahmed Khalil
September 3, 2012 at 11:47 am

So, password is more secure than Pattern, but people use Pattern more than password, nice!!

16. rama moorthy
September 2, 2012 at 10:32 am

Retina Scan is best Authentication system ever .. but cannot be used in Phones ..

17. Jason Williams
September 1, 2012 at 3:18 pm

great article. makes me rethink me companys idea of using the pattern lock for mandatory security on corporate phones.

18. Yang Yang Li
August 31, 2012 at 9:03 pm

The safest option with 0 permutations is to not have a phone.

19. venkatp16
August 31, 2012 at 5:22 pm

i always use pattern lock and find it very easy , but your analysis made me think...

20. GrrGrrr
August 31, 2012 at 1:56 pm

interesting article. I would go for passwords if given a choice.

21. RandyN
August 31, 2012 at 1:40 pm

I use pattern lock and don't feel any less safe. My pattern lock has 11 points in it and is very quick for me to input. The pattern goes back over previous points so even if someone sees the oil from my fingers they'd have to know which points to swipe back over, when, etc. (i.e., not something you can tell by looking at the oil patterns).

22. Ruben Marrero
August 31, 2012 at 1:20 pm

I personally use passwords, the more charachters the better :) and change it very often... there are times that I switch to pattern if I know I will be in the need to get into my phone faster...

23. Chuck Long
August 31, 2012 at 12:12 pm

I personally use a password and it has way more than 5 characters in it. The pattern is faster and I see some say that the password is displayed when you type it in. For one if somebody "claims" to be your friend and is looking at your phone when you log up so they can see your password then get rid of them. Second is you need to be more aware of who is around you for self protection. I don't store any vital info in my phone for banking, credit cards and the such. I don't have that much trust for anybody.

24. Kieran Colfer
August 31, 2012 at 10:40 am

So what happens with IOS 5.1 and the camera button on the lockscreen? I'm still on 5.0.1 on my iphone, but I've seen some reports that if you use the swipe-up camera button on the 5.1 lock screen to open the camera, and then hit the home key it bypasses the passcode and brings you straight to the home screen.

25. Darren Reynolds
August 31, 2012 at 9:35 am

ive got a new HP Probook with the fingerprint scanner.. Its so easy and convenient and so far appears to do exactly what its meant to do.. This has to be the way forward...

26. Misho
August 31, 2012 at 9:15 am

I often see people unlock their phones using the pattern. I am not interested in their combination, but it is so obvious that it is funny. I should close my eyes in order not to remember the exact move a person made with it's finger. :)

27. Rob Dog
August 30, 2012 at 11:22 pm

Against a brute force attack like Mantish said, a password will work better. I use the pattern and will always use the pattern, why? Because you can turn off the display of the green line of your swipe, so if someone looks at your phone whilst doing it, if you do it quick enough people won't be able to see it. I've had many friends try to break in to my phone because they thought they saw my pattern swipe. Turns out they were all wrong. lol. Where as a typed password will always show which buttons you've pressed as you do it making it easier to see.

I also see the password as an everyday protection. So i can leave my phone at my desk at work (or similar) with the knowledge that my co-workers won't be able to take a cheeky look. If someone wants to break in to your phone and has the know how, they'll do it regardless of what you put in their way.

• Peter
August 31, 2012 at 12:03 pm

" I’ve had many friends try to break in to my phone because they thought they saw my pattern swipe." - You need better friends.

28. April Eum
August 30, 2012 at 10:53 pm

i don't lock mine is my verdict. i don't store anything personal on my phone, all my pics go up on instagram, i delete texts after reading them, even log out of my emails and apps because i learned the hard way. a stolen phone is a stolen phone, lock it or not, someone is bound to decipher it if they had the work ethic to do so XD

29. James Reyes
August 30, 2012 at 10:25 pm

Also with pattern locks is the issue of oily or grubby fingers leaving visible traces on the screen that someone else could decipher.

• Kao Vang
August 31, 2012 at 1:39 pm

30. Benjamin Glass
August 30, 2012 at 10:09 pm

I'd still use a pattern lock.

31. xbalesx
August 30, 2012 at 9:10 pm

I always love insight on better tech security. Your latest on 2 factor authentication opened my eyes and I have implemented 2FA on a few sites.

32. Mantish
August 30, 2012 at 7:12 pm

Although a very informative article. I thing reaching the conclusion that passwords are safer isn't correct. It depends on the pattern or password you choose.
Passwords are safer against brute force attacks....but against other type of attacks I guess it depends on a lot of things

33. Quagma
August 30, 2012 at 7:05 pm

With a pattern, just hold the phone in the right light so you can see the oil from their fingerprints. I've unlocked a few co-workers phones that way (with them watching, to demonstrate, not for nefarious purposes).

• Danny Stieben
August 30, 2012 at 9:33 pm

Thanks again for touching on that. I believe I mentioned that towards the end of the article.

34. Desdemona
August 30, 2012 at 6:30 pm

The comparison between the two types of security measures was informative.

Unfortunately, like most presentations on such matters, it was somewhat deceptive. For example, if there are only 10 possible combinations, the odds that someone will go through 9 failing attempts only to hit on the last are equal to the odds of hitting the combination the first. In every presentation I've seen on this subject it is written or spoken about as though success is achieved only on the last attempt. Or the impression is given that a password is secure because the number of combinations is so large that no one will likely be successful and may not even try.

While it may take "Giganto Supercomputer" 10 months to run through all the possible combinations of my password, in reality, there is a 50% chance it will hit it in 5 months and a 10% chance it will do it in a month. That's why the longer password is better. Add in a little social engineering and the fact that people usually at least pick understandable words they can easily remember and the number of possiblities and time to crack drop precipitously from the maximum possible time.

• Danny Stieben
August 30, 2012 at 9:32 pm

Like I mentioned above, of course there are still subjective factors which can influence how safe a password is, but this is a comparison of methods, not passwords under certain methods.

35. Peter
August 30, 2012 at 6:30 pm

5,904,900,000 is nearly 6 BILLION, not million.

The math may be true but you also have to consider if the user has actually created a complex password. Selecting "aaaaa" or "12345" as your 5 character password is going to be guessed pretty quickly. Similarly, using a pattern that is a swipe stright down the middle 3 spots is also going to get cracked pretty quickly.
Just because people "can" create difficult to guess passwords, in no way suggests they will, and let's be honest, entering "8V:r&" as a password to unlock your phone is kind of a PITA.

• Pablo
August 30, 2012 at 7:44 pm

a billion is correctly 1 million millions, therefore 1,000,000,000,000 not 10,000,000,000

• John
August 30, 2012 at 8:45 pm

No, it depends on whether AmE or BrE. The whole world is generally treating 10^9 as billion these days though.

• Danny Stieben
August 30, 2012 at 9:28 pm

The only billion I've ever learned is a thousand million, not a million million. That would be a trillion. I know Germans treat a million million as billion, but this site is in English. :)

• Oleksiy Portechyn
August 31, 2012 at 5:40 pm

Here in Europe most countries call "Billion" a number with 12 zeros (1 000 000 000 000 - one million million) . Don't know about the rest of the world but USA and Brazil calls "Billion" a number with 9 zeros (1 000 000 000 - one thousand million).
That is because of the difference of long and short scales used.

• juanDM4
September 1, 2012 at 2:58 pm

another wierd system that USA uses...

• John
August 30, 2012 at 8:47 pm

PS your other figure was 10bn not 1bn

• Stephen Graves
August 30, 2012 at 9:00 pm

Not in the US. I was suprised to find that million and billion (and possibly others) are not the same numbers globally. In the US, 1 billion is 1 thousand million, not 1 million millions.

• Mark
September 3, 2012 at 6:03 pm

i am surprised too. i didn't know there was another value for billion.

the billion that i know is: 1 thousand million.

• Danny Stieben
August 30, 2012 at 9:26 pm

Sorry if I had said million. Typo!

Of course it still depends on whether the person picks out a good password/pattern, but when comparing just the methods themselves, you have to look at it purely objectively, which means math.