Is Bigger Better? Comparing User Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock and Analyzing Collection Methods and Demographic Differences

Adam Aviv

United States Naval Academy

Tuesday, March 15, 2016
11:00 a.m., ICSI Lecture Hall

Android's graphical authentication mechanism requires users to unlock their devices by “drawing” a pattern that connects a sequence of contact points arranged in a 3x3 grid. Prior studies have shown that human-generated patterns are far less complex than one would desire; large portions can be trivially guessed with sufficient training. Custom modifications to Android, such as CyanogenMod, offer ways to increase the grid size beyond 3x3, and in this paper we ask the question: Does increasing the grid size increase the security of human-generated patterns? To answer this question, we conducted two large studies, one in-lab and one online, and found that while there is some added security for increasing the grid size, guessing larger portions of 4x4 patterns requires only 2-bits more entropy than guessing the same ratio of 3x3 patterns, and the entropy is still on the order of  cracking random 3-digit PINs. These results suggest that while there may be some benefit to expanding the grid size to 4x4, the majority of patterns will remain trivially guessable and insecure against broad guessing attacks. Additionally, as this study offered an opportunity to collect data using different methodologies, in-lab and on-line, and with a relatively diverse demographic group, we present results on differences in provided patterns for the two major groups as well demographic differences, in particular between genders.


Adam J. Aviv is an Assistant Professor of Computer Science at the United States Naval Academy in Annapolis, MD. His primary research area is in usability on mobile devices with a particular focus on graphical passwords, and he has studied Android's graphical password system extensively over his career. He has also published broadly in the areas of computer security and privacy, network security, and applied cryptography. He received his Ph.D. from the University of Pennsylvania, studying with Matt Blaze and Jonathan M. Smith.