Judging by the photo at the end the reason the author's locking code was defeated so quickly is that although the input mechanism used doesn't work quite like a traditional keyboard it is a common keyboard pattern. Keyboard patterns in passwords are an actual research subject [1], and a pretty interesting one at that. There's at least one practical JavaScript-based password quality meter that can find spatial patterns in QWERTY passwords [2] like "bgtyujmnh", which the author's code is similar to. The meter is actually quite interesting to play with.
On a related note, it's nice to see Pascal still used for fun but the fact that it's a version from almost 20 years ago doesn't help the language's image. If are curious about Pascal and think you might want to write some code in it today I'd suggest you try Free Pascal [3], a modern, FOSS, object-oriented 32/64-bit Pascal compiler based largely on Borland's own dialect that even has a good recreation of Borland/Turbo Pascal's Turbo Vision IDE [4] if you want one.
I don't think that was the takeaway. I think the vulnerability was that she could see the pattern in the hand-grease on the phone. It wouldn't have mattered if he hadn't used a common pattern, because the path of the finger would still be obvious. The fix is to wipe off your screen after you lock it.
I guess you're right. I was thinking along the lines of "a less common pattern is less likely to be noticed and tried correctly the first time around and by then the traces left of it are ruined" but now that I've looked at the photo again I see this is probably wrong. On a phone like that any grease pattern should be pretty obvious.
My sister uses the schizophrenic pattern shown in the middle that uses all the dots. Because sliding your fingers between two dots just pixels apart was an error prone nightmare, she decided to just hop her fingers from dot to dot, based on the fact that if you touch one dot and then you touch another, when you lift the first finger the path between both will be automatically drawn. That way, the trace in her screen is just fingers over dots, making it impossible to tell which one is the first and which one comes next.
I suggested to my local supermarket that they change their alarm code: there were four digits that were white, the others were covered in grime. Knowing the only possible digits makes it a cinch to work out the code just from watching movement from afar.
Two years later, those same keys are still clean. The others are even dirtier.
I'm not surprised they haven't changed it. At a normal supermarket, anything valuable (cigarettes, medicine, etc) is going to be locked up behind another layer of security during closing hours. Any cash left in the building overnight is going to be stored in a safe in a room with a separate lock and alarm system. The building itself will have a lock in addition to the alarm, cctv, and a security guard that comes by on a regular rotation. Nobody is going to take that risk in order to steal a couple armloads of vegetables. Overnight security is a very small concern to a grocery store compared to continuous shoplifting during the day.
Not so. If it's a 4 digit combination, it's already n!, so 24 combinations, which is enough for a good system to lock up and automatically call the police. If it's more, then it's gonna grow as n!/k!l!m!... where, k, l, m... are the numbers of repeated digits, but still it's more than enough to know that someone's trying to brute force the system.
The point is that the attacker watches from a distance, and using the rough hand movements he/she has seen can reduce that 24 combinations significantly.
Hence why I prefer the smaller keypads on ATM machines, so I can minimize my finger movements. Having one keycode for the supermarket is also a good way for disgruntled former employees to act malfeasantly.
Hmmm, could someone build a text "scrambler" that would intentionally create broken English? I have also noticed that "broken English" is more effective by some measures than ordinary English.
Note also that the broken English here is not the author, but it's Google Translate. The text has been machine translated from Russian. Also interesting that Google Translate is much more effective translating the mathematical portions than the other portions of the text. Another case of what people find hard computers find easy, and vice versa.
The fact that broken English is effective for recall, at least in some circumstances, totally fascinates me.
I'd love to capitalise on the idea somehow, just because its so counter intuitive I think. Although i fully appreciate it's not effective enough to replace spaced repetition or other formal techniques.
It isn't new, and people have been joking about finger smears since this kind of unlock mechanism came out (I remember making this discovery myself and promptly switching my phone back to using a number pad). But it is worse than shoulder-surfing; you can just steal a phone, say, from someone's purse or off a table when no one is looking, and then unlock it. You don't have to stock the person, see them unlock the phone, and then steal it.
I'm OK with shoulder surfing. The main reason I use a pattern lock is that if I forget it somewhere or got it stolen the guy who has it won't know the pattern. Putting that aside, I do was hoping to see an analysis that could help me come out with a pattern that a thief couldn't guess with the traces on the screen.
I sometimes take a friend's phone from them and hand it back to them unlocked. Just for the look on their faces. Until they figure out that I just watched them unlock it.
It's considered a security setting for preventing other people from opening your phone. If you just want to prevent pocket dialing, there's a mode you can set where you swipe anywhere on the screen to "unlock".
On a related note, it's nice to see Pascal still used for fun but the fact that it's a version from almost 20 years ago doesn't help the language's image. If are curious about Pascal and think you might want to write some code in it today I'd suggest you try Free Pascal [3], a modern, FOSS, object-oriented 32/64-bit Pascal compiler based largely on Borland's own dialect that even has a good recreation of Borland/Turbo Pascal's Turbo Vision IDE [4] if you want one.
[1] See http://www.usafa.edu/df/dfe/dfer/centers/accr/docs/schweitze..., http://www.ijicic.org/ijicic-10-09032.pdf, etc.
[2] https://www.cygnius.net/snippets/passtest.html
[3] http://www.freepascal.org/
[4] https://upload.wikimedia.org/wikipedia/commons/3/34/FPIDE_1....