Marte Løge, a 2015 graduate of the Norwegian University of Science
and Technology, recently collected and analyzed almost 4,000 ALPs
as part of her master’s thesis. She found that a large percentage
of them — 44 percent — started in the top left-most node of the
screen. A full 77 percent of them started in one of the four
corners. The average number of nodes was about five, meaning there
were fewer than 9,000 possible pattern combinations. A significant
percentage of patterns had just four nodes, shrinking the pool of
available combinations to 1,624. More often than not, patterns
moved from left to right and top to bottom, another factor that
makes guessing easier. […]
Data breaches over the years have repeatedly shown some of the
most common passwords are “1234567”, “password”, and “letmein”.
Løge said many ALPs suffer a similar form of weakness. More than
10 percent of the ones she collected were fashioned after an
alphabetic letter, which often corresponded to the first initial
of the subject or of a spouse, child, or other person close to the
subject. The discovery is significant, because it means attackers
may have a one-in-ten chance of guessing an ALP with no more than
about 100 guesses. The number of guesses could be reduced further
if the attacker knows the names of the target or of people close
to the target.
Interesting research. It’s human psychology — our natural tendency toward laziness — that makes something like Touch ID so much more secure than a passcode in actual practice.