> Data Genetics came up with the numbers by analyzing a database of 3.4 million stolen passwords that have been made public over the years. Most of these are passwords for websites. But by looking specifically at those that comprise exactly four characters, all of which are numerals, the researchers figured they could get a decent proxy for ATM PINs as well.
That seems like an incredibly faulty assumption. Most pins are auto-generated randomly and then you are given the option to change them if you choose. Most passwords are not. I'd guess that PINs would be FAR more random than 4 digit passwords.
Actually, this is the first time I hear it's even possible to change your PIN code at all... As far as I know I just get a new PIN code whenever I get a new card, and just have to live with it ;-)
I've either been forced to change my pin the first time I've used my ATM card, or I've not even known the PIN until I've assigned it. I would be in absolutely no way surprised if most people only had one four digit number they used for everything. Anecdotally, when it comes to four digit numbers, a lot of people I know use a significant date.
I'm tempted to write a script that takes the article text and replaces the most common PINs with random alternatives picked from 9999 of the 10000 possibilities, and then shares it to social media to get people to see it. One PIN, my special chosen PIN, would never be seen. That way, after enough people see a random version of the article and change their PIN because they think it's a common one, eventually my chosen PIN would be slightly more common that the rest.
I recently got the following text message from Verizon:
FREE VZW MSG: The security
of your Verizon account is
extremely important to us.
Your personal identification
number (PIN) or password does
not meet our new security
requirements. Please log
into your My Verizon account
and select a new 4-digit
PIN as soon as possible.
My PIN was not in the top 20 but probably in the top 200. But how is requiring a 4 digit PIN at all compatible with "security is extremely important to us"? And how many PINs do you suppose they blacklist?
The easiest ones are blacklisted for example: 4 repeating numbers and 1234.
The 4 digit pin is not secure. It is like my bank telling me I can't use special characters in my password for online access and max length is 20 chars but way way worse.
My bank card has a 4 pin code that I need to enter when purchasing items, its a minor security. but it doesn't need to more complicated, if I lose my card I will have to call to block it. If my card gets duped then they probably know a way to see me enter my pin. (agreement with bank states that in many cases I will get my money refunded if stolen)
For a thing like voicemail, if its accesable without taking or copying your sim, it is a bad security measure. The other required data is often easily obtained. (postcode, birthyear, etc)
I beg to differ about 4 repeating numbers. I have such a number, allocated by a bank. As I see it nobody is ever going to guess my pin because they would assume it was blacklisted. I also get to do a different dance entering in the pin in public places because I have to pretend I am typing anything other than just the same number, at places where security is not a problem I can breeze through entering my pin nice and quickly.
I have not felt the urge to request a change of pin from 'one number' to four.
It all depends on country and bank. They are more often blacklisted than not.
Funny, how you have to dance around entering your pin. I can enter my 4 different digits so fast with almost the same intervals that it seems like I am entering 4 same digits.
Unfortunately many pins are stolen by skimming, they sometimes place a whole cover over the ATM. Not taking function away but just copying all cards and filming all codes being entered or having an overlay on the keys.
> As I see it nobody is ever going to guess my pin because they would assume it was blacklisted.
Why wouldn't they? It's just a quick ten numbers to check. 4444 is going to be more common than any one other completely-random selection, like 8064, for the same reason that people choose "password" as a password.
My brain initially misread that as 8086. I started to wonder if people might have an aversion to using processor model numbers due to their familiarity... but apparently not.
Their methodology (not having actual access to PINs and trying to infer from numbers in passwords) may be flawed.
I work for a company that, a long time ago, used 4-digit PINs for account security. Our historical data (covering millions of accounts) shows that, overwhelmingly, the least-common PINs are those that start with the digit "0", which makes sense to me as a counter-intuitive PIN selection.
Their comments about the most-common PINs do seem generally accurate, based on my data.
What's the current state of the art in keeping track of passwords and PINs? I have a folder in my house full of various papers and cards with passwords and PINs dating back to the mid-nineties. Surely not the best solution, but at least I don't carry the thing on me or put the data online.
I think the standard would be to use a password manager such as KeePass, with a long random passphrase such as five to six words chosen truly randomly from a large dictionary.
A folder or notebook in your house is not terrible, actually, since it lets you avoid reusing passwords (though it won't generate strong passwords for you like a password manager will). Harder to back up. You might want to keep it in a fireproof safe.
Programs like keepass are good solutions.
I run it in a cloud setting, with a back up on multiple of my own devices.
A good strong master password is important.
> Researchers at the data analysis firm Data Genetics
Also known as cool guy who works as a data analyst at Facebook: https://www.facebook.com/nick.berry
Surprisingly, 1337 does not seem to be a particularly common PIN. Perhaps individuals who find 1337 entertaining are tech savvy enough to realize you shouldn't use common meme numbers for PINs?
Edit: ZIP Codes are 5 digits. Not entirely sure how I screwed that one up.
>Also, I bet the prevalence of 6 digit numbers is in part due to US ZIP Codes being 6 digits. It would be interesting to break down the 6 digit ZIPs into valid and non-valid ZIP codes.
More likely because of DDMMYY instead of DDMM or MMYY (or the inverses).
Example, release date of a Led Zeppelin album:
032873
As other people have pointed out, ZIP codes are also 5 digits. Not entirely sure why I thought they were six, considering a quarter of my job is building systems that process mailing data. I'm going to blame this on an extended case of the Mondays.
Slightly off topic: my ATM PIN is 8 digits long, has been for about 10 years. Never had a problem at any machine or POS. I don't know if everyone knows longer PINs work. I think you can go up to 12 digits.
That seems like an incredibly faulty assumption. Most pins are auto-generated randomly and then you are given the option to change them if you choose. Most passwords are not. I'd guess that PINs would be FAR more random than 4 digit passwords.