Tell Me Who You Are and I Will Tell You Your Lock Pattern

alone is worth a round of applause I she survived me for a year that's you know actually I'm not a round of applause and she's done some I would say truly groundbreaking research and I would just read the sage to Mo hear me yeah hello thank you for your introduction so um there are not a lot of girls speakers here so I'm bringing a lot of pink for you so yeah uh I'm going to present um what I've been working on uh for a year for my master PES and just a couple of words about me my name is Martha I'm 23 years old from Norway just completed my master pie and I'm really excited to be here in Las

Vegas for the first time just in sh or I hav't come I'm completing sh I just uh I don't believe I'm here so yeah I'm um I'm working as a developer at a consultant company so that's what I'm going to do now and I'm going home from Vegas so my talk is about passwords uh graphical passwords and I like to um look at passwords and the predictability and the human aspects of passwords because humans are really predictable and when we talk about predictability that's not a good thing when you talk about security right so mat going to focus on the Android catalog as you probably know on the on the right uh so when you you're probably

familiar with the PIN codes and the the pass codes and um strategies such as using a creating a password with your name your date of birth that's that's really known to everybody that people use that to be able to remember the password they create so um when creating PIN codes you're using um numbers when you're creating a pass code you use letters and numbers I have a sem many meaning to you but what about the dots are be able to predict what people are creating just to know who people are because that's kind of interesting how you can connect who you are to something that are not letters or numbers so just um a a recap of number

of combination of the Android P lock because I don't think people know how many combination there actually are do someone guess no pinkes are 10,000 combinations and the Andro padal loock is close to 400,000 unique combination in numbers that sounds pretty great doesn't it yeah just uh so what I have been doing is I created a custom made survey for collecting pattern us of creative patterns as well as information background information about the people that create the patterns so just looking uh I'm not just looking at the pattern it themselves it's also interesting to look at who actually created patterns so I have like did um about 3,400 patterns these creative patterns uh from a survey interactive survey uh

only running on mobile phone so it's it's it's collected from its intended environment and I also ask all the respondents to create a pattern for a shopping account mobile phone and a banking account to just give a broad perspective of where you can where used so not just to ask people can you just create a pattern just compl it and be finished so people have to think about where the intended uses so just little I just really like this graph because and the dark ones are people that have used the Android panalog before and the light one is people that have not used the Android PEX before and as you can see for the patterns created for a shopping account

and a banking account the numbers here are the reaction time the time they used to create a patterns so for this one and for this one it's it's about the same but when you look at this one there is a difference in the time used for creating the patterns so for smartphone people that have already used the Android onl pattern they respond to faster maybe because actually gave away their password right so predictable yeah okay so as I said um the Android pedal is you cannot use letters and not use numbers so how can you connect the the dots to who you are what the what parameters can you use so uh I will look that this screen

size for instance hand size Reading Writing Direction gender handedness to see if they can impact the way we create parents H I want to just give you a summary because of um uh a new aspect of the patterns because it's a graphical patterns meaning that it's it's visual you can see it it's not just letters and numbers so I've used a a mathematical formula for calculating the comp visual complexity of a pattern so to for explaining it uh the upper both of the blue patterns above the plank line but as you can see if you have watch over someone's shoulder when you created it you can easily capture this one but you should be very very good if

you could just look over someone's shoulder and capture that one so meaning you can just um look at the security in a number of Select nodes as you do with a a normal password then you can look at the entropy and the number of selected characters Etc here we have to add the extra dimension of the visual aspects so the mathematical formula uh it's it's just giving a score just to give a a hint of how visual complex the patterns are so it's about 6 to 46 as SC to just give anation of so a fun thing about the patterns is that on average all the patterns created the 3,400 they only reach an average score

of 13.6 meaning that the patterns created are um not they having the visual complexity so if you're wondering what I'm using to calculate visual complexity um uh I'm using the uh number of nodes if physical length as well as some something is called an overlap I think it's new to someone but you can you can create a line that's going from the middle to the right and then to the other side so then it looks like it's just one line but you're actually collecting this one this one and the last one there it just looks like one line and you can see where you start and end and also using the intersection so how many lines are

crossing so out of this I'm kind of calculating the visual complexity so um yeah uh a fun thing also is that nobody managed to create a pattern with the highest complexity I was like when I sent out the survey I thought that people would make it up as a challenge uh to create the maximum complexity but nobody actually yeah yeah out of the 300,000 plus patterns how many actually have the maximum complexity is there only one pattern that has that or lots of them uh I don't have the exact number now no I look it up but I mean yeah you only collected 3,000 right so only one had it you never expect anyone to ever get no so there is

more between uh the 46 and 44 as well so um there's a lot of patterns above for the the highest maximum score in the but I will check so as I said it's only you're using only notes and I said that you don't use letters and numbers but uh one thing about you that you actually have a name so when I sending up the survey a lot of people will come to me and say you know my mom used uh her first uh the first letter in her name as a pattern so she can be able to remember it so was okay uh so I looked through a lot of I went through all the all the

uh all the possible letters in the alphabet and look through the old patterns to see how many patterns are actually corresponding to a letter in the alphabet fun thing that is I was surprised that about 10 10.4% of the patterns correspond to a letter and that's one in 10 patterns are actually corresponding to a letter and that's if you know about the person's first first name and if that is possible to create as pattern that's likely that the person actually use a letter as pattern that was kind of interesting that's the same uh you can call using it Association elements for remembering and that's the same um strategy people are using when you create a a normal password using names

uh date of birth and you actually know so you don't forget the password um the fun thing about the Android panalog is that when you know where or a part of the pattern you can restrict the number of patterns uh that are likely to be the the pattern because you can always select uh a node once so uh I went through all the colle collected patterns and there is a fun thing about the starting note because it's not it's not random because 44% of all the patterns were starting in the upper left corner and about 73% of the patterns we're either starting in this one this note and this note or if you add all the corners you get a 77% of

all patterns

collected so uh as I mentioned hand sides and for instance handness because uh if you know 90% of the population of FO are right-handed so okay this one might be biased by that a lot of the people are right-handed if you look at how you hold the mobile phone and create a patterns if you for instance use one hand if you're right hand and using one hand where do you have your thumb where do you reach on the screen so if you're holding your using your right hand and creating a pattern your thumb is reaching up to that corner okay so do if I'm left-handed do I then start in the other corner so yeah either one hand using one

hand and the thumb or using two hands and the four finger or creating the pattern that's two of the main ways of creating a pattern so I look at the right-handed responds so yeah the numbers are about about the same as we saw this the blue one is using one hand and the thumb and the green one are using two hands so the left hand and the four finger so yeah that's what I expected from the the result we saw earlier so left handed

it's not different that was not that the result that I thought in the first at first I I was thinking about I I thought that people that are left handed would start in the other Corner they were right opposite and I didn't know why because I expected that there were actually a difference so uh one of the aspects that I mentioned that was uh the reading and writing directions because um researchers have found that if you present a set of images for instance to a person and ask can you remember these pictures in a given time interval uh people that read from left to right would start scanning the pictures from the left to the right

or remembering the pictures so the pictures that are uh below or in bottom or and to the right will be the picture that of these commonly recognized or remembered and I also this did this with people that had and another reading direction for instance if I have an Arabic background you probably read from the right to left so people that were reading from right to left we're scanning the picture and we're remembering the pictures from right to left unfortunately I did not reach a lot of people having a lot another writing writing Direction but as a result here that handedness did not impact at all either using one hand two hand with right or left-handed it was the same

result everybody started in the same direction so hopefully someone knows a lot of people having another reading and writing Direction please let me know because I really strongly I really believe that if we H have asked uh a set of people having a different reading and writing direction we would see a different selection in starting point and a different set of patterns that's really cool um continue with that um a look at uh three grams that's a set of three notes that are connected so we can uh kind of track the behavior where the pattern actually are created so these are the set of three grams that are most commonly uh most commonly used so this

one as you as I said people start up in the left corner as um when you start here you'll probably go this way or this way so all of these yeah as well as going through um move next to the grin as well so keeping into edges people stayed away from the diagonal down people all of these are like these one the most common and then these and then these an example of um a pram that is really occurring is for example going from this note down to this note for example or from this one to this one that's possible but people aren't using that one because when you go from there to there it's easy to kind of touch into

the other nodes so people are sticking to the edge as well as creating straight line that are easy to type so we're kind of able to uh to see what people are actually creating um so I have a couple minutes left um the average length I was mentioned that I looked at the gender as well as the age of people um I do like this result at all that wasn't what I expected I wanted it Opposite but that's not how it works I can't decide everything just means matter more exactly I like that just yeah but when when I look at the patterns uh the average length maybe that's not so different but if you look at the

distribution of the patterns created so these are the the the male participants and PW could it be that length is more important than

man I win I win oh yeah you you don't have to reply about no okay thank you so and so you're we need something to do some research volunteers yeah so your graph on the previous slide looked like a dramatic difference but looking at this Slide the distribution looks basically identical so look at the scale I was I was coming to it so if you look at at the percentage of people selecting the length forth yeah so when you do statistical testing you're more able to kind of instead of just looking at at the average yeah when you do statistical testing you're able to to catch uh that there actually is a statistical difference in the

patterns and not just looking at the average average length so the the women actually created a had a higher percentage of the patterns with a l length and opposite and I just wanted to point out a result that I don't have an answer to I do not know why I can't explain the numbers but on average there are only 4% of the data set that have created patterns of L eight yeah that's that's the only reasonable uh explanation but there actually over 140,000 unique combinations of pattern of blank pain so if only about 4% of of the people are creating a pattern of blank a you can probably just likely just reduce the likely number of patterns with

140,000 I just looked at it it was really fascinating so yeah and I just to recap the age of people so this is the average h p creative pattern length and I saw as again a statistical significant difference between the pattern created by young people and older people I can say so the graft is going good yeah that's so but if you look at these ones is it because people are more aware of security or is it I don't know why but people when I I looked over the my brother creating patterns and his friends and then was whooping around and screen and create amazing patterns when I see when I look at the patterns from

other people I know it's like connect for do that's fine that's easy open the screens very fast so um still have a couple minutes so um for now uh there are there are a researcher in Germany that are have also done a lot of work on the a pedal uh and what I want to do further is to extend uh or develop a Marco model for doing statistical uh prediction of likely chosen patterns based on who you are so handness writing Reading Writing Direction age gender um they are created a mark model based on collected data from another research project uh but they did do not have the extra information about the users so if

we're able to uh to kind of make a model of different people like a profile are we able to um kind of be more successful to guess the patterns that he will pray so that's our one of the main kind of continue continue on this work because it had more potential than for now this is my Master P so this kind of wrapping up now and I hope that to continue that and also please let me know if someone have a know a lot of people with a another writing reading and writing Direction because I really want to know I want I want to kind of promise you that that actually impacting patterns I I really just want to say it

but I don't have the evidence yet QA is QA I'm sorry yeah we have yeah we have to move to the Q&A so yeah um do you have one more slide true

we do we do have okay okay there are many questions make them very short make them count we'll do two questions first one Have You released the data no I don't have released or I have a kind of a summary of everything that going to be released as my mes that will be available if was someone wanted read it but uh data ra data I don't know if I'm able to just give it away but if someone have kind of a some IDs to use this information please contact me and we will probably Sol that for research purpose in all way there are very strict privacy regulations for that second question what's the equivalent of

password like what's the single most common pattern pattern so the about 26% of all the patterns were using the I can probably find the so patterns starting from here going that way and that way so probably the L yeah but these ones are actually 21% of all the pattern either started in using these three not notes or these three notes so that's 20 20% we have to break it up have to move to next but good thing is I told her to submit for death call and she got accepted for death call yeah so she's doing this talk on Friday so there will be more time to stay here on Sunday there lots more time

to ask the questions by your A Mir drink uh and come watch talk all over again on Friday at after so thank you

now