Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method

  • Panagiotis Andriotis
  • Theo Tryfonas
  • George Oikonomou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


One of the most popular contemporary graphical password approaches is the Pattern-Lock authentication mechanism that comes integrated with the Android mobile operating system. In this paper we investigate the impact of password strength meters on the selection of a perceivably secure pattern. We first define a suitable metric to measure pattern strength, taking into account the constraints imposed by the Pattern-Lock mechanism’s design. We then implement an app via which we conduct a survey for Android users, retaining demographic information of responders and their perceptions on what constitutes a pattern complex enough to be secure. Subsequently, we display a pattern strength meter to the participant and investigate whether this additional prompt influences the user to change their pattern to a more effective and complex one. We also investigate potential correlations between our findings and results of a previous pilot study in order to detect any significant biases on setting a Pattern-Lock.


Security Android password bias usability feedback 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In: 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 1–6. ACM (2013)Google Scholar
  2. 2.
    Askoxylakis, I.G., Kastanis, D.D., Traganitis, A.: Elliptic curve and password based dynamic key agreement in wireless ad-hoc networks. In: Communication, Network, and Information Security, pp. 50–60 (2006)Google Scholar
  3. 3.
    Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: 4th USENIX Conference on Offensive Technologies, pp. 1–7. USENIX Association (2010)Google Scholar
  4. 4.
    Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44(4), 1–41 (2012)CrossRefGoogle Scholar
  5. 5.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium Security and Privacy (SP), pp. 538–552. IEEE (2012)Google Scholar
  6. 6.
    Brostoff, S., Sasse, A.: Are Passfaces More Usable Than Passwords? A Field Trial Investigation. In: People and Computers XIV Usability or Else!. Springer, London (2000)Google Scholar
  7. 7.
    Davis, D., Monrose, F., Reiter, M.: On user choice in graphical password schemes. In: USENIX Assosiation Proceedings of the 13th USENIX Security Symposium, pp. 151–163. USENIX Association (2004)Google Scholar
  8. 8.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The Design and Analysis of Graphical Passwords. In: 8th USENIX Security Symposium, pp. 1–14 (1999)Google Scholar
  9. 9.
    Passfaces Corporation.: The Science Behind Passfaces. White paper,
  10. 10.
    Solar Designer. John the Ripper,
  11. 11.
    van Oorschot, P.C., Thorpe, J.: Exploiting Predictability in Click-based Graphical Passwords. Journal of Computer Security 19(4), 669–702 (2011)Google Scholar
  12. 12.
    van Oorschot, P.C., Thorpe, J.: On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10(4), 5:1–5:33 (2008)Google Scholar
  13. 13.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)CrossRefGoogle Scholar
  14. 14.
    Standing, L., Conezio, J., Haber, R.N.: Perception and Memory for Pictures: Single-trial Learning of 2500 Visual Stimuli. Psychonomic Science 19(2), 73–74 (1970)CrossRefGoogle Scholar
  15. 15.
    Tao, H., Adams, C.: Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security 7(2), 273–292 (2008)Google Scholar
  16. 16.
    Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: USENIX Assosiation Proceedings of the 16th USENIX Security Symposium, pp. 103–118. USENIX Association (2007)Google Scholar
  17. 17.
    Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of android unlock patterns. In: 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 161–172. ACM (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Panagiotis Andriotis
    • 1
  • Theo Tryfonas
    • 1
  • George Oikonomou
    • 1
  1. 1.University of BristolBristolU.K.

Personalised recommendations