Passwords suck, which is why so many of us dream of a world where we don’t have them at all. But remembering names and numbers does hold some advantages over newfangled alternatives. According to new research (PDF) out of New Jersey Institute of Technology, the George Washington University, and Ruhr University Bochum, a popular password alternative prized by LG is both more hackable and easier to forget than previously thought.
The password technique in question is called a knock code. Such codes trace from ancient Greece to turn-of-the-century Russian prisons, in which a series of knocks or taps were equated with various letters. LG’s smartphones offer a super simplified version of the concept: You have a 2 x 2 grid, and you design your own password by hitting these boxes in any sequence you like. It’s a somewhat similar idea to Android patterns, which let you trace your finger across points on a screen to draw your password instead of typing it.
LG has gone so far as to dub this approach “perfect security.” It’s easy to see the appeal. Knock codes can be entered on a black screen—meaning it’s tough for someone looking on to decipher it as easily as your PIN. There should be no way you can predict a knock code either, whereas a PIN or password might contain a birthday or other easily guessable mental anchors that could help other people hack you. All in all, knock codes reimagine a password as a gesture, which is enticing enough that researchers estimate that as many as 2.5 million people in the United States alone are using knock codes on their phones.
But according to security researchers, the concept doesn’t pan out in the real world. After asking hundreds of people to create knock codes, they learned that while people can create any code they like, what they create isn’t all that diverse.
Most damning: 18% of all codes consisted of just four different password sequences. The problem is that people have a propensity to start in the upper-left-hand box and take similar routes from there. Overall, the 30 most popular knock codes represented 42% of all passcodes created in the study. So even if you didn’t design one of the most popular codes, your knock code would still be pretty predictable. “Patterns tend to be selected less randomly, and thus [are] easier to guess,” says Adam Aviv, an author on the paper and associate professor of computer science at George Washington University.
Given just 10 tries unlocking your phone, researchers calculated that someone can guess your knock code 28% of the time. A four-digit or six-digit PIN code is much safer than this.
So what if knock codes used a 2×3 grid instead of a 2 x 2 grid? Researchers analyzed that approach, too, and found that 2 x 3 codes were actually more guessable than 2 x 2 codes. How is that possible? “There may be a false sense of security that the larger set of choices offers, whereby users believe their individual choice matters less in the face of the increased number of possibilities,” the authors write in the paper. In other words, a larger sense of perceived security makes us lazier in designing our own passcodes.
Another problem is how memorable the codes are. After setting up 2 x 2 knock codes, as many as 20% of participants couldn’t remember them just 10 minutes later. So knock codes are neither secure nor convenient.
Traditional passwords are by no means perfect either. Popular passwords can still be pretty predictable, and even if your password is novel, a hacker might still access it through an all-too-common data breach. But researchers concluded that a four- or six-digit PIN is all around better than a tap code. Because sometimes a design that’s promising on paper just doesn’t make that much practical sense once real humans get involved.