How is a pattern lock different from a password on iPhone?

A password is a string of characters typed into a field; a pattern is a path you draw through a grid of dots. AppVault uses a 5×5 pattern (25 dots) so the input alphabet is much larger than a typical four-digit PIN and faster to enter than a long password. Crucially, the pattern is never stored anywhere — it is fed directly into a key derivation function and discarded, so a database breach cannot leak it.

How many possible 5×5 patterns are there?

The strict mathematical count of valid paths through a 5×5 grid with the usual adjacency rules runs into the tens of billions. The practical strength depends on the path length you choose. A six-dot pattern offers roughly 13 million distinct paths; an eight-dot pattern crosses one billion; a twelve-dot pattern is well beyond any practical brute-force budget on consumer hardware.

Can someone guess my pattern by looking at smudges on the screen?

Smudge attacks are real but limited. They work best when the attacker can examine the screen at an angle under bright light, the screen has not been wiped, and the user draws the same pattern repeatedly without other touches. In practice, a pattern entered once at the start of a session and a phone that wipes its own oleophobic coating with normal use defeats the basic version of the attack.

What happens after too many wrong attempts?

AppVault’s Intruder Log captures a front-camera photo, timestamp, and approximate location after the third consecutive failed attempt (configurable to two, five, or ten). The vault does not lock you out forever — there is no master account that could permit a "reset" — but every failed attempt is logged for you to review.

Can I switch from a pattern to a PIN or password?

You can add Face ID or Touch ID as a convenience unlock after the first pattern of the day. The pattern remains the canonical key — biometric unlock simply releases the derived key without re-deriving it. You cannot replace the pattern with a PIN, because the encryption key is mathematically bound to the pattern; changing the pattern means re-encrypting the vault.

What is the optimal pattern length?

Eight to twelve dots is the practical sweet spot. Below six, the pattern is fast but the path space is small enough that a determined attacker with shoulder-surfing access can guess it in a few sittings. Above twelve, the pattern slows you down enough that you will start choosing shorter ones to avoid the friction. Eight is the floor we recommend; twelve is the ceiling unless you genuinely enjoy drawing.

Does the pattern need to be unique to AppVault?

It does not have to be, but it should be. Re-using a phone-unlock pattern across two apps reduces the security of both. Pick a pattern you only use for AppVault and keep it different from any pattern you draw to unlock other apps or hardware.

FILE 03 / PATTERN LOCK

A path through twenty-five dots, drawn in two seconds, that turns into an encryption key.

Name: AppVault
Price: 1.99 USD
Availability: InStock

AppVault replaces the password field with a 5×5 grid pattern. You draw a path through the dots; the path becomes the input to a key derivation function tuned for slow brute-force resistance; the resulting key locks every file in your vault. The pattern is never stored — there is no password file to leak.

UPDATED · 2026-05-16 · REVIEWED BY APPVAULT

DEFINITION

The AppVault pattern lock is a 5×5 grid through which you draw a path. The drawn path is normalized, hashed by PBKDF2-SHA256 with 600,000 iterations and a per-install salt, and the resulting 256-bit key is wrapped by a hardware key generated inside the iPhone Secure Enclave. The wrapped key encrypts every file in your vault using AES-256-GCM. AppVault never stores the raw pattern, so a database breach cannot leak it — there is no database to breach.

Grid size — 5×5 (25 dots)
Minimum path length — 6 dots recommended (about 13 million possible paths)
Practical sweet spot — 8–12 dots
Key derivation — PBKDF2-SHA256, 600,000 iterations
Wrapped by — Apple Secure Enclave hardware key
Storage of raw pattern — None — derived and discarded each session

Why a pattern, not a password

Passwords are typed objects. They live, however briefly, inside the iOS keyboard layer; they pass through autocomplete suggestion systems; they get stored in password manager databases that synchronize across devices. Each of those surfaces is an opportunity for a password to leak, and each one is a thing AppVault would rather not depend on.

A drawn pattern bypasses all of it. The 25 dots are rendered inside AppVault’s own view. The path you draw is read directly from the touch event stream by AppVault code. The pattern is normalized — turned into a sequence of dot indices — fed into the key derivation function, and discarded. iOS does not see the pattern. The keyboard does not see the pattern. Spotlight, the clipboard, iCloud Keychain — none of them see the pattern.

What the math looks like

A 5×5 grid has 25 dots. The number of valid distinct paths depends on the adjacency rules we use — AppVault allows any-to-any connections rather than the Android-style "no jumping over an unused dot" restriction, which gives a richer space. The exact count of valid n-length paths is a combinatorial problem with no clean closed form, but the practical scale is:

Six-dot patterns: roughly 13 million distinct paths
Eight-dot patterns: over one billion
Ten-dot patterns: into the trillions
Twelve-dot patterns: beyond any consumer-hardware brute force

For comparison, a four-digit PIN has 10,000 possibilities — three orders of magnitude smaller than even a short pattern.

THE KEY DERIVATION

From a finger drag to a 256-bit AES key, in three deterministic steps.

When you draw a pattern, AppVault runs three operations on the touch input before any file is touched:

Step one — normalization

The path is converted to a canonical sequence of dot indices: [0, 6, 12, 18, 24], for example. The exact pixel coordinates, the speed of your drag, and the time between dots are all discarded. Only the ordered list of dots matters. This means a pattern drawn slightly differently on the same dots produces the same key.

Step two — key derivation

The normalized sequence is concatenated with a 128-bit random salt generated at first install and stored locally (the salt is not secret; it exists to make brute-force precomputation impossible across devices). The combined input is run through PBKDF2-SHA256 with 600,000 iterations. The 600,000-iteration count is the current OWASP-recommended minimum for SHA-256-based PBKDF2 as of 2026 — it makes each guess take roughly a tenth of a second on modern iPhone silicon, which is fast enough for the user and slow enough to make any brute-force impractical.

Step three — Secure Enclave wrapping

The 256-bit key that comes out of PBKDF2 is wrapped by a hardware-generated key that lives inside the iPhone Secure Enclave. The Secure Enclave is a separate processor on the iPhone’s system-on-chip that Apple guarantees never exposes its raw keys to iOS itself. Wrapping the PBKDF2 output with a Secure Enclave key means the vault is bound to the specific physical device — a copy of the encrypted blob, lifted to a different iPhone, will not decrypt even if the same pattern is drawn there.

This three-stage construction is what makes AppVault’s pattern lock structurally different from the per-app passcodes most vault apps ship with. Most apps store the passcode (or its hash) and unlock the vault by comparing your input to the stored value. AppVault has no stored value to compare against; the pattern is the key, and the only way to know the key is correct is to use it and see whether the ciphertext makes sense.

PRACTICAL ADVICE

How to pick a pattern that holds up.

A 5×5 grid offers strong cryptography on paper. The two ways that strength gets diluted in practice are short paths and predictable shapes. The fixes are simple but worth saying out loud.

Length matters more than shape

An eight-dot pattern is almost always stronger than a six-dot pattern, regardless of whether the eight-dot path looks complicated. The brute-force budget grows by orders of magnitude per added dot. Aim for at least eight dots; aim for twelve if you can draw it cleanly in under three seconds.

Avoid the obvious shapes

Common letters (L, Z, M, N) and corner-to-corner straight lines are the first patterns a brute-force attacker will try. They are also what people who shoulder-surf you will guess first. Pick something asymmetric — a path that doubles back on itself, jumps non-adjacent dots, or covers both the perimeter and the interior of the grid.

Re-draw it elsewhere first

Before committing to a pattern, draw it three times on paper without looking at the AppVault grid. If you can reproduce it from memory each time, the pattern is committable. If you find yourself slowing down or hesitating, pick a different one. A pattern you forget under stress is worse than a shorter pattern you remember.

Keep the screen clean

Oleophobic screen coatings on modern iPhones disperse finger oil enough that smudge attacks require deliberate effort. Wiping the screen on your sleeve once a day defeats casual smudge analysis without any additional gear.

Do not write the pattern down

The whole point of pattern lock is that nothing about your access lives outside your head. If you cannot trust your memory, use the optional recovery passphrase AppVault offers during setup — that is a long random English-word sequence designed to be written down and stored offline in a fireproof location. The recovery passphrase is the only legitimate "second key" that should exist for your vault.

PATTERN LOCK QUESTIONS

Seven precise answers about the lock you draw.

01 How is a pattern lock different from a password on iPhone?

A password is a string of characters typed into a field; a pattern is a path you draw through a grid of dots. AppVault uses a 5×5 pattern (25 dots) so the input alphabet is much larger than a typical four-digit PIN and faster to enter than a long password. Crucially, the pattern is never stored anywhere — it is fed directly into a key derivation function and discarded, so a database breach cannot leak it.
02 How many possible 5×5 patterns are there?

The strict mathematical count of valid paths through a 5×5 grid with the usual adjacency rules runs into the tens of billions. The practical strength depends on the path length you choose. A six-dot pattern offers roughly 13 million distinct paths; an eight-dot pattern crosses one billion; a twelve-dot pattern is well beyond any practical brute-force budget on consumer hardware.
03 Can someone guess my pattern by looking at smudges on the screen?

Smudge attacks are real but limited. They work best when the attacker can examine the screen at an angle under bright light, the screen has not been wiped, and the user draws the same pattern repeatedly without other touches. In practice, a pattern entered once at the start of a session and a phone that wipes its own oleophobic coating with normal use defeats the basic version of the attack.
04 What happens after too many wrong attempts?

AppVault’s Intruder Log captures a front-camera photo, timestamp, and approximate location after the third consecutive failed attempt (configurable to two, five, or ten). The vault does not lock you out forever — there is no master account that could permit a "reset" — but every failed attempt is logged for you to review.
05 Can I switch from a pattern to a PIN or password?

You can add Face ID or Touch ID as a convenience unlock after the first pattern of the day. The pattern remains the canonical key — biometric unlock simply releases the derived key without re-deriving it. You cannot replace the pattern with a PIN, because the encryption key is mathematically bound to the pattern; changing the pattern means re-encrypting the vault.
06 What is the optimal pattern length?

Eight to twelve dots is the practical sweet spot. Below six, the pattern is fast but the path space is small enough that a determined attacker with shoulder-surfing access can guess it in a few sittings. Above twelve, the pattern slows you down enough that you will start choosing shorter ones to avoid the friction. Eight is the floor we recommend; twelve is the ceiling unless you genuinely enjoy drawing.
07 Does the pattern need to be unique to AppVault?

It does not have to be, but it should be. Re-using a phone-unlock pattern across two apps reduces the security of both. Pick a pattern you only use for AppVault and keep it different from any pattern you draw to unlock other apps or hardware.

RELATED DOSSIERS

Keep reading.

6 ENTRIES

GET STARTED

Seal the vault.

Free to download. The first vault is free, forever. Upgrade only when you outgrow it.

Open AppVault on iPhone