Skip to navigation
Real World Computing
Online banking security fob

How to choose a safe PIN code

Posted on 11 Jan 2013 at 15:13

Davey Winder reveals how to choose a secure four-digit PIN for online banking and websites

One of the better things to emerge from the aftermath of any massive data breach is the research value of the data that’s sold on the dark market (and often published for free somewhere within the hacker underground soon after).

I’m talking about the likes of the Yahoo breach last year, which left 400,000 plain-text passwords exposed; the LinkedIn breach, which published 6.5 million unsalted SHA-1 hashed passwords; and the Sony PlayStation Network breach with 100 million records, including login data, stolen. These three together account for a pretty impressive password research pool. By analysing the password databases that were stolen, it’s possible to determine the most commonly used – and therefore the most insecure – passwords out there.

The top 20 most common PINs were used by 27% of all users

Most are insecure by dint of being so common that they’re included in every dictionary attack, even though they’re not dictionary words. The 14 most insecure passwords have remained consistently so over the 20-plus years that I’ve been in the IT security business (on both sides of the fence) – namely password, passw0rd, 123456, 12345678, 111111, iloveyou, qwerty, dragon, pussy, letmein, abc123, baseball, football and trustno1.

I’d be absolutely amazed to discover any regular PC Pro reader using any of these; you obviously know better than that. But what’s the situation when it comes to PINs?

Picking a PIN

Personal Identification Numbers (PINs) were once solely the province of hole-in-the-wall cash machines, but the advance of technology, along with a superficial nod towards better security in all things, has changed that. Now we need to provide PINs when making credit card payments, when banking online, to access our smartphones and tablets, and even with some "ultra secure" USB memory sticks that come with a PIN entry-code system built in. The trouble with PINs is that they suffer the same problems as passwords when it comes to their popularity-versus-insecurity ratio.

A security company analysed more than three million PINs, extracted from the same kind of stolen password files – wherever a password was found that was a four-digit number, it was extrapolated that the usage patterns of that password would apply equally to the choice of a similar PIN – and it discovered that the top 20 most common PINs were used by 27% of all users.

Given that most, but not all, PINs are four-digit codes, you already have a one in 10,000 chance of guessing it correctly first time, and that reduces to 1 in 3,333 given three guesses, which is fairly common in banks and mobile networks alike.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

with a 4 digit code by the time you have eliminated all the common ones there isn't many left so not much use.
HSBC with their code unit that generates a random code every time used is a very good system that if used for cash machines instead of just for online banking would reduce the cash machine frauds as the thief would have to steal the unit as well as your main code to be any use for getting money out of machines.

By curiousclive on 20 Jan 2013

Leave a comment

You need to Login or Register to comment.


Davey Winder

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.

Read more More by Davey Winder


Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.