How to choose a safe PIN code
Posted on 11 Jan 2013 at 15:13
Davey Winder reveals how to choose a secure four-digit PIN for online banking and websites
One of the better things to emerge from the aftermath of any massive data breach is the research value of the data that’s sold on the dark market (and often published for free somewhere within the hacker underground soon after).
I’m talking about the likes of the Yahoo breach last year, which left 400,000 plain-text passwords exposed; the LinkedIn breach, which published 6.5 million unsalted SHA-1 hashed passwords; and the Sony PlayStation Network breach with 100 million records, including login data, stolen. These three together account for a pretty impressive password research pool. By analysing the password databases that were stolen, it’s possible to determine the most commonly used – and therefore the most insecure – passwords out there.
The top 20 most common PINs were used by 27% of all users
Most are insecure by dint of being so common that they’re included in every dictionary attack, even though they’re not dictionary words. The 14 most insecure passwords have remained consistently so over the 20-plus years that I’ve been in the IT security business (on both sides of the fence) – namely password, passw0rd, 123456, 12345678, 111111, iloveyou, qwerty, dragon, pussy, letmein, abc123, baseball, football and trustno1.
I’d be absolutely amazed to discover any regular PC Pro reader using any of these; you obviously know better than that. But what’s the situation when it comes to PINs?
Picking a PIN
Personal Identification Numbers (PINs) were once solely the province of hole-in-the-wall cash machines, but the advance of technology, along with a superficial nod towards better security in all things, has changed that. Now we need to provide PINs when making credit card payments, when banking online, to access our smartphones and tablets, and even with some "ultra secure" USB memory sticks that come with a PIN entry-code system built in. The trouble with PINs is that they suffer the same problems as passwords when it comes to their popularity-versus-insecurity ratio.
A security company analysed more than three million PINs, extracted from the same kind of stolen password files – wherever a password was found that was a four-digit number, it was extrapolated that the usage patterns of that password would apply equally to the choice of a similar PIN – and it discovered that the top 20 most common PINs were used by 27% of all users.
Given that most, but not all, PINs are four-digit codes, you already have a one in 10,000 chance of guessing it correctly first time, and that reduces to 1 in 3,333 given three guesses, which is fairly common in banks and mobile networks alike.
with a 4 digit code by the time you have eliminated all the common ones there isn't many left so not much use.
HSBC with their code unit that generates a random code every time used is a very good system that if used for cash machines instead of just for online banking would reduce the cash machine frauds as the thief would have to steal the unit as well as your main code to be any use for getting money out of machines.
By curiousclive on 20 Jan 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- The importance of load balancing
- Windows Phone App Studio: an easy way to create your first Windows Phone 8 app
- The end of Windows XP support: what it really means for businesses
- Don't rely on Chrome's password vault
- Using Buffer to manage your social media
- Microsoft needs its own Steve Jobs
- Forget credit cards: hackers want your Facebook account
- Can't get fast enough broadband? Here's what to do
- Leap Motion and the battle against UI stagnation
- How to build a really bad network
- Play it again: Berlin's Computer Game Museum
- Switching from iPhone to Android: what I miss, what I don't
- Tech City: Easy to score when you move the goalposts
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Microsoft patches TIFF flaw in next Patch Tuesday
- Microsoft expands encryption over NSA spying "threat"
- UK Cloud Awards 2014: nominations now open
- BlackBerry says "we're still alive" as sales hit new low
- Has HP turned a corner?
- Adobe admits it's struggling to notify hack victims
- Microsoft rolls out Office 365 admin app for mobile
- Office 2013 Service Pack 1 to arrive early next year
- Backup the best defence against CryptoLocker
- UK SMBs can now buy ads on Twitter