Lockscreen patterns less secure than PINs

Study says Android lockscreen patterns less secure than PINs.

HTTPS://kas.pr/wb4b

I had a Nexus 5 once, I showed it to an Android developer friend of mine. He looked at it and unlocked the phone no trouble at all.

Well, that’s actually not exactly what the study says. It says it offers less protection against “shoulder surfing”. It may additionally be generally less secure, but that’s not what the study says.

When it comes to security it’s always a question of what you want to protect your self against. I’d argue that if shoulder surfing is a concern for you (and I believe it should be for commuters or others who frequently unlock their phone in public) then biometrics is the best compromise. (Incidentally I just saw a person on the train this morning who unlocked his phone with a 6 digit pin which he typed in very carefully in plain view of at least 10 others several times over the course of the journey.)

An important thing when it comes to security is threat modelling: What do you want to defend against? State actors? Casual observers? Family members? Regular thiefs? Depending on who your threat is, your answer of what is more or less secure may well differ…

I think it is well accepted that pattern unlock is not as good as pin/password in terms of security.

I agree. But my point was: What is more (or less) secure for you, may differ from what is more or less secure for me, depending on whom we need to protect against, and on how we act. There is for example a large number of people who say “passwords (or pins) are more secure than fingerprint.” That may be true for some, but I see cases like this 6 digit pin guy on the train all the time. He’d definitely be more secure with a fingerprint, because you can’t shoulder surf that. But his (theoretically potentially more secure) 6 digit pin is probably known to dozens (if not hundreds) of people who may have ridden on the same train as him over the years. And he has obviously thought about his security, as he went to the trouble of using a 6 digit pin, rather than the default 4. But I’d argue that because he fell for generalised advice he actually made himself more vulnerable.

I think this is also the argument behind complex password requirements. Because they are so complicated they define a very narrow set of criteria that all passwords must meet which makes it much easier to guess passwords (John the ripper) because users follow a very set pattern and only just try to meet the requirements because we’re lazy.