Is Your PIN Easy to Guess?

Originally published at: Is Your PIN Easy to Guess? - TidBITS

At ABC News (from the Australian Broadcasting Corporation), Julian Fell and Teresa Tan collaborated on an engaging piece that illustrates the popularity of certain four-digit PINs:

Whether it’s to unlock your smartphone, access your online banking or get cash out of the ATM, a four-digit PIN is often there to keep your secrets and your money safe.

It’s an important little code, but not all choices are equally secure.

That’s why we analysed 29 million of them from Have I Been Pwned? – an Australian-run site that helps people all over the world find out if they’ve been affected by data breaches.

The most commonly used PINs turned out to be staggeringly popular, meaning they’re particularly easy to guess when phones and bank cards fall into the wrong hands.

As you scroll through the article, the authors explain particular PINs—and approaches for generating them—on a heatmap with brighter squares representing more heavily used PINs. They call out sequential numbers, repeated numbers, birth years, numbers that could represent dates, and more. The article ends with a list of the top 50 PINs to avoid. An astonishing 9% of people use 1234, followed by 1111 and 0000, at 1.6% and 1.1%. The next time you find yourself in a high-stakes movie plot and need to break into the villain’s phone, try those three.

4 Likes

I use an 8-digit PIN for my phone.

My bank assigned me a 4-digit PIN back in the 80s that has never changed. Maybe it’s time.

2 Likes

Ditto. And a different PIN to unlock my SIM.

It’s always so funny in movies when you see somebody break into somebody’s account by guessing the name of their dog or something obvious like that.

What I have always thought is weird is that we need to use the last four digits of our social security number in certain places. That’s a 4-digit PIN or sorts that we can never change.

Also, and I realize how blue-sky this is: I’d like not to have to think about massive multiple security issues. I’d like to have access to my products without the companies telling me I have to go through this extended rigmarole.

No, I don’t care that the world is a difficult place. Stop making security my problem.

Since the security fail du jour a few months back was people looking over the shoulder of someone entering their iPhone PIN, and later managing to swipe the phone, as well as earlier concerns about how police forces as well as less upright forces could use forced-entry techniques to unlock an iPhone they’d taken from you, I took the advice of a security expert, and changed my four-character PIN to a > 10-character one. It does mean it takes extra time to install an iOS update, with backups before and after. Aside from my own clumsiness, the frustration comes in part from Apple’s using two or three different keyboard layouts for those PIN entries. Why?

AT LEAST make it > 4 digits if you don’t set an alphanumeric passcode… it’s easy!

1 Like

Source: xkcd: Security

Fortunately, xkcd also has some good advice on how to choose a good password, as in: easy to remember & hard to crack.

4 Likes

1234 as PIN is ok when it’s used for an irrelevant account. I use simple passwords for unimportant or temporary site visits that have no personal information whatsoever – but very complex passwords for email, bank accounts etc.

I had good luck guessing simple passwords at Wifi locations in countries like Morocco, where many coffee shops use 12345678 and similar as password :smile:

As far as I know, there are two layouts. An alphanumeric keyboard if you use an alphanumeric passcode, or a number-only pad if your passcode consists only of digits.

An arbitrary-length passcode keypad differs from the standard 4- and 6-digit codes only in the fact that you have to tap “OK” after you’ve entered all the digits (so a thief won’t be shown the number of digits on the entry screen).

Yes, but sometimes a throwaway account becomes relevant in the future.

Once upon a time, I reused a single password on every web site that I didn’t care about. Until that password appeared on Have I Been Pwned, and I realized that although nobody with this password could financially hurt me, they could post messages as me on any of a hundred different discussion forums. It took me several days to track down and change every one of those passwords (this time to one unique for each site).

These use-cases are simply designed to block people who didn’t actually enter the shop, where they probably can see the passcode printed on a sign. High security is not a concern - they just want to block the opportunists, like people in the shop next-door that doesn’t have Wi-Fi.

Much like hotel Wi-Fi, where the passcode is typically just the name of the hotel with a couple of numeric digits that never change, or something else that everybody who has ever stayed there knows. Again, because the goal is to just block the opportunists, not to actually secure the network.

1 Like

6 posts were merged into an existing topic: Security of check account/routing numbers

Nicely written Adam. I loved the last sentence. John.

1 Like

My experience, with dark mode enabled, is that there is one alphanumeric layout with clear, white characters on a dark background, and another, with grey background, barely different grey key backgrounds, and a very pale white for the characters, barely distinguishable from the backgrounds. The word part is that the “keys” are a different size from either (1) above or the usual keypad. My muscle memory is thrown off by that. ptui

A post was split to a new topic: Security of check account/routing numbers

This is my preference, and I think it’s a good way of increasing security even if you want to stick with a 6-digit PIN for convenience. The lack of information about how long the PIN is makes it harder to crack.

In the late 90s and early 00s (before I used a password manager) this was my approach too. It was sensible at the time. Once I started using a password manager it made sense to set a unique password for each site, which I gradually did over time.

We actually have a few of those that still use the old simple password and it gets reused. Nothing involving finance and no sites with credit card info. We should change all of those but for things like a free news site there probably isn’t much point…and we don’t use that old password in any form for either new accounts or those with some financial implications.