19^{th} November 2017
When you enable "device encryption" on Android it produces an encryption key from your screen-locker code. Although I'm sure it uses a slow-hash to make it slow for an attacker to try lots of codes, it's still important that there be lots of combinations in case the attacker has a powerful computer.
I look at the different types of screen lock option that android provides and calculate how many combinations there are.
I do not attempt to study the security of fingerprint based screen lockers as I don't know how to. I suspect they're really insecure as your fingerprint is likely to be all over the phone's case and screen.
Excluding fingerprint, the screen-lock options on Android 7.1.2 are:
We want at least billions of combinations to make our device secure. So we will test how we can get billions of combinations with each of these screen lockers.
First let's study the security of "pattern".
You can choose from a grid size of 3x3, 4x4, 5x5 or 6x6. As you drag your finger through the grid it joins the dots together in a certain order.
Each dot can only be selected once, meaning that the length limit is the same as the number of dots.
How many combinations are there? Calculating this is not particularly simple because a dot cannot be repeated. Lacking any true maths skills the only way I could work it out was to write a program to walk through the tree of combinations to find them all.
#! /usr/bin/env python3 # finds number of combinations that do not re-use a letter. it's for # calculating the security of android "pattern" screen-locker # first arg: number of dots, second arg, length of combination import sys amount = int(sys.argv[1]) length = int(sys.argv[2]) def instance(length, digit, chain): length = length - 1 if str(digit) in chain: return chain += [str(digit)] if length == 0: print(chain) return for num in range(1, amount + 1): instance(length, num, list(chain)) for num in range(1, amount + 1): chain = [] instance(length, num, list(chain))
OK so let's consider a short code that's quick to enter. We have a 3x3 grid (9 dots) and we use 6 of them. The script tells me there are only 60,480 combinations!! This is not secure at all. We want at least billions.
How about if we use all the dots on the 3x3 grid (all 9)? Aw only 362,880 combinations. Still insecure.
OK how about a 4x4 grid (16 dots) and we use 6 of them? Oh only 5,765,760.
OK Let's try 8 dots on the 4x4 grid. 22 minutes later my script tells me there are 518,918,400 combinations. Still not billions!
9 dots on 4x4? 3 hours later my script tells me there is 4,151,347,200 combinations. Finally! That's billions.
So with pin you use a sequence of numbers from 0-10. Length is between 4 and 16. Same number can be used twice.
What's fab is that we don't need a script to work this out, we can just use simple maths. number_of_options to-the-power-of length.
Let's try 4 long. pf only 10,000 combinations. Let's try 9 long. Wow 1,000,000,000 combinations! We now have billions of combinations which is what we want.
I suspect we're gonna get some baddas amount of combinations here, as we can use all 10 digits, all 26 lowercase letters, all 26 uppercase letters, and loads of symbols. Again maths is simple, just number_of_options to-the-power-of length.
There's at least 30 symbols on my android keyboard but most people aren't gonna use loads of exotic symbols so let's say 10 symbols, 10 digits and 52 letters. That's 72 options.
Let's try password 4 characters long. Oh only 26,873,856.
K let's try 5 long. Wow 1,934,917,632 combinations! That's more than a 10 character long pin (and probably easier to remember). It's also more than an 8 character pattern on a 4x4 grid.
OK if you want billions of combinations what should you choose?
Length | Combinations | |
Pattern | 9 dots on 4x4 grid | 4.2 billion |
Pin | 9 digits | 1.0 billion |
Password | 5 digits, letters, symbols | 1.9 billion |
Pin is obviously worst, who's gonna remember 9 digits?
A five character long password including numbers and symbols is quite strong, but it takes me about 5 seconds to enter. I think this is too slow.
I think pattern is best. 9 dots on the 4x4 grid takes me 3 seconds to enter and is easy to remember. But be warned, shapes are easy to observe and remember so if you do not trust your peers you must be vigilant!