The most secure way to unlock your phone, revealed

[tao]

People should stop using patterns to unlock their devices, researchers have warned.

 

A new study has found that it’s a lot easier for people who might be looking over your shoulder as you unlock your phone to memorise a pattern than a passcode.

 

So-called “shoulder surfing attacks” can be easy for a criminal to plan and execute, but you can protect yourself by switching to a PIN code and increasing its length from four digits to six, the researchers say.

 

They got over 1,000 volunteers to act as attackers, challenging them to memorise a range of unlocking authentications – four- and six-digit PINs, and four- and six-length patterns with and without tracing lines – by watching a victim over their shoulder from a variety of angles.

 

The 5-inch Nexus 5 and 6-inch OnePlus One were the two handsets used in the study, as the researchers say they “are similar to a wide variety of displays and form factors available on the market today, for both Android and iPhone”.

 

The researchers also considered single and multiple views for the attacker and two different hand positions for the victim – single-handed thumb input and two-handed index-finger input.

 

The study found that four-length patterns with visible lines were far easier to crack, as a result of shoulder surfing than any other type of unlocking authentication they tested.

 

“We find that PINs are the most secure to shoulder surfing attacks, and while both types of pattern input are poor, patterns without lines provides greater security,” the researchers, from United States Naval Academy and the University of Maryland, said.

 

“The length of the input also has an impact; longer authentication is more secure to shoulder surfing. Additionally, if the attacker has multiple-views of the authentication, the attacker’s performance is greatly improved.”

 

In tests, 10.8 per cent of six-digit PINs were cracked after one observation. This figure rose to 26.5 per cent after two observations.

 

64.2 per cent of six-length patterns with tracing lines, meanwhile, were cracked after one observation. This rose to 79.9 per cent after two observations.

 

35.3 per cent of six-length patterns without tracing lines were cracked after one viewing, rising to 52.1 per cent after two viewings. 

 

“Shorter patterns were even more vulnerable,” said the researchers, who added that even people who use fingerprint or face-scanning technology to unlock their phones should be wary of their findings.

 

“Biometrics is a promising advancement in mobile authentication, but they can be considered a reauthenticator or a secondary-authentication device as a user is still required to have a PIN or pattern that they enter rather frequently due to environmental impacts (e.g., wet hands),” they said.

 

“There are also known to be high false negatives rates associated with biometrics. Further, users with biometrics often choose weaker PINs as compared to those without, suggesting that the classical unlock authentication remains an important attack vector going forward.”

 

A separate study published earlier this year found that the majority of lock patterns can be cracked within five attempts. 

 

< Here >

[DKT27]

Am I the only one who does not lock his phone with any such passwords.

 

I for one open and lock so many times, it would be counter productive to lock it with any type of password.

 

As far as it getting stolen, I had learned it the hard way long time ago that no password is going to stop the the thieves as they immediately shut the phone from it's power and then change it's OS and also IMEI number so nothing can trace it.

[tiliarou]

10 hours ago, DKT27 said:

Am I the only one who does not lock his phone with any such passwords.

 

I for one open and lock so many times, it would be counter productive to lock it with any type of password.

 

As far as it getting stolen, I had learned it the hard way long time ago that no password is going to stop the the thieves as they immediately shut the phone from it's power and then change it's OS and also IMEI number so nothing can trace it.

Locking newer android and ios phones prevent attacker from unlocking and accessing data if you enabled encryption.

Moreover, with location or event based security measures, you can set places, bluetooth devices, wifi networks etc... to automatically unlock your phone so you don't always type your pin to unlock.

In addition, fingerprint unlock, if available, is the fastest in my opinion but in any case you have to set a pin as backup.

[dcs18]

On Androids, passwords (especially the longer ones) are certainly far more secure than the pattern, swipe or pin options of locking.

 

Once upon a time it used to be cumbersome to type-out these long passwords each time one needed to access their device — however, the swiping mode of typing (pioneered by the Swype keyboard) renders the slower tapping mode of typing obsolete.

 

Personally, I use Tasker to automate locking and unlocking my device depending on whether it's located in a safe or unsafe place respectively.

 

As far as some countries (like India) are concerned, biometrics (finger printing and face recognition) are the most vulnerable form of locking for Users of the Aadhaar Card — this despite the fact that the modern hardware (like iPhone 10) ship with one of the most close-to-perfect face-recognition algorithms known to man.