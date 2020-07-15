Passwords suck, which is why so many of us dream of a world where we don’t have them at all . But remembering names and numbers does hold some advantages over newfangled alternatives. According to new research ( PDF ) out of New Jersey Institute of Technology, the George Washington University, and Ruhr University Bochum, a popular password alternative prized by LG is both more hackable and easier to forget than previously thought.

The password technique in question is called a knock code. Such codes trace from ancient Greece to turn-of-the-century Russian prisons, in which a series of knocks or taps were equated with various letters. LG’s smartphones offer a super simplified version of the concept: You have a 2 x 2 grid, and you design your own password by hitting these boxes in any sequence you like. It’s a somewhat similar idea to Android patterns, which let you trace your finger across points on a screen to draw your password instead of typing it.

LG has gone so far as to dub this approach “perfect security.” It’s easy to see the appeal. Knock codes can be entered on a black screen—meaning it’s tough for someone looking on to decipher it as easily as your PIN. There should be no way you can predict a knock code either, whereas a PIN or password might contain a birthday or other easily guessable mental anchors that could help other people hack you. All in all, knock codes reimagine a password as a gesture, which is enticing enough that researchers estimate that as many as 2.5 million people in the United States alone are using knock codes on their phones.

But according to security researchers, the concept doesn’t pan out in the real world. After asking hundreds of people to create knock codes, they learned that while people can create any code they like, what they create isn’t all that diverse.

Most damning: 18% of all codes consisted of just four different password sequences. The problem is that people have a propensity to start in the upper-left-hand box and take similar routes from there. Overall, the 30 most popular knock codes represented 42% of all passcodes created in the study. So even if you didn’t design one of the most popular codes, your knock code would still be pretty predictable. “Patterns tend to be selected less randomly, and thus [are] easier to guess,” says Adam Aviv, an author on the paper and assistant professor of computer science at George Washington University.

Given just 10 tries unlocking your phone, researchers calculated that someone can guess your knock code 28% of the time. A four-digit or six-digit PIN code is much safer than this.