Many smartphone users leave their devices entirely unprotected, but even those who choose a four-digit PIN are vulnerable to “shoulder surfers” glimpsing the code and using it later - but a new form of password could come to the rescue, according to Rutgers University researchers.

Current “join the dots” patterns used as locks on some Android devices are similar to PIN pads, and easily observed by lurking “surfers” - but a Rutgers University team found that freeform “squiggly” patterns were more memorable than expected, and less easy for an attacker to memorise and gain unauthorized access.

The “squiggly” patterns could be used both as a lock for the “front page” of smartphones, and as a “lock” for apps, according to Gizmag’s report. As We Live Security advised in its guide to Android security this week, locking individual apps can be a useful “second line of defense” for smartphone users.

“All it takes to steal a password is a quick eye,” said Janne Lindqvist, assistant professor in Rutger’s University School of Engineering’s Department of Electrical and Computer Engineering. “With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical.”

The paper, User-Generated Free-Form Gestures for Authentication: Security and Memorability, is available on Arxiv.org.

Surprisingly, the best-remembered gestures included an older form of security - signatures - as well as “simple angular shapes”, the researchers say, according to Phys.org’s report.

Lines drawn with one finger tended to include significant amounts of information, and thus be both memorable and hard to “crack”. The researchers tested their “passwords” on a tablet screen. Lindqvist believes this is the first study to explore free-form gestures as passwords.

“You can create any shape, using any number of fingers, and in any size or location on the screen,” Lindqvist said. “We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential.”

Study participants had to draw a gesture on a touchscreen, memorize it, and then draw it again from memory ten days later. Sixty-three students attempted the feat - with “favorable” results. Meanwhile, seven “shoulder surfers” (computer science student volunteers) attempted to steal the passwords by “surfing”.

The researchers write that despite the “surfers” having “considerable experience with touchscreens,” that, “None of the participants were able to replicate the gestures with enough accuracy, so while testing is in its preliminary stages, the gestures appear extremely powerful against attacks. While widespread adaptation of this technology is not yet clear, the research team plans to continue to analyze the security and management of free-form passwords in the future.”