Friday, 2 August 2013

Choosing a secure PIN

Credit, debit and ATM cards are usually protected by a four-digit number.

This Personal Identification Number (PIN) is supposed to prevent an unauthorised person from using the card.

Choosing a good PIN makes a great deal of sense. Here's how to pick a good one, or at least how to avoid a bad one.

It seems that good sense is lacking with many people, who use predictable PINs such as 1234, 1111 and 0000.

How do we know this? Nick Berry, from DataGenetics, analysed passwords that had been leaked onto the internet. He concentrated on the four-digit passwords, working on the fair assumption that if people are using four-digit passwords for internet services then there will be some correlation between their choices and the numbers people choose for bank cards and other systems that use four-digit PINs.

He discovered that, out of 3.4 million records, the three sequences above were by far the most common. They were almost certainly chosen with intent, rather than being generated randomly.

The top 20 PINs accounted for 26.83 per cent of all passwords in the database, which means that a bad guy would only need to try 20 codes to achieve success in one quarter of sessions.

Within the top 20 you will find all repeated sequences of a single number: 0000, 1111, 2222, 3333, 4444, 5555, 6666, 7777, 8888, 9999.

So in other words, if you want to guess someone's PIN try each of the above sequences in turn and you stand a very good chance of success.

The least popular choice was 8068. So we should all start using that one, right? Definitely not. As Nick writes:
Warning - Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.
The key to a secure PIN is to choose one that is not predictable. So maybe looking at the most- and least-used ones published in such articles is a good idea so that they can be avoided. You want your PIN to be lost in the middle ground.

One quite amusing part of Nick's research is that the number 2580 crops up fairly high on the list, at #22 Look at your telephone key pad to discover why this is a popular choice.

I know of at least one PIN-protected door to which no-one who uses it can tell you the PIN. They have all memorised the combination using a visual pattern (e.g. top left, bottom-right, middle-right, middle-left) rather than by the numbers (1964).