Marte Løge The abundance of password leaks over the past decade has revealed some of the most commonly used—and consequently most vulnerable—passphrases, including “password”, “p@$$w0rd”, and “1234567”. The large body of data has proven invaluable to whitehats and blackhats alike in identifying passwords that on their face may appear strong but can be cracked in a matter of seconds. Further Reading Now, Android lock patterns—the password alternative Google introduced in 2008 with the launch of its Android mobile OS—are getting the same sort of treatment. The Tic-Tac-Toe-style patterns, it turns out, frequently adhere to their own sets of predictable rules and often possess only a fraction of the complexity they’re capable of. The research is in its infancy since Android lock Patterns (ALPs) are so new and the number of collected real-world-patterns is comparatively miniscule. Still, the predictability suggests the patterns could one day be subject to the same sorts of intensive attacks that regularly visit passwords . Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology , recently collected and analyzed almost 4,000 ALPs as part of her master’s thesis. She found that a large percentage of them—44 percent—started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier. “Humans are predictable,” Løge told Ars last week at the PasswordsCon conference in Las Vegas, where she presented a talk titled Tell Me Who You Are, and I Will Tell You Your Lock Pattern . “We’re seeing the same aspects used when creating a pattern locks as are used in pin codes and alphanumeric passwords.” ALPs can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.