How to choose a safe PIN code
Posted on 11 Jan 2013 at 15:13
Davey Winder reveals how to choose a secure four-digit PIN for online banking and websites
One of the better things to emerge from the aftermath of any massive data breach is the research value of the data that’s sold on the dark market (and often published for free somewhere within the hacker underground soon after).
I’m talking about the likes of the Yahoo breach last year, which left 400,000 plain-text passwords exposed; the LinkedIn breach, which published 6.5 million unsalted SHA-1 hashed passwords; and the Sony PlayStation Network breach with 100 million records, including login data, stolen. These three together account for a pretty impressive password research pool. By analysing the password databases that were stolen, it’s possible to determine the most commonly used – and therefore the most insecure – passwords out there.
The top 20 most common PINs were used by 27% of all users
Most are insecure by dint of being so common that they’re included in every dictionary attack, even though they’re not dictionary words. The 14 most insecure passwords have remained consistently so over the 20-plus years that I’ve been in the IT security business (on both sides of the fence) – namely password, passw0rd, 123456, 12345678, 111111, iloveyou, qwerty, dragon, pussy, letmein, abc123, baseball, football and trustno1.
I’d be absolutely amazed to discover any regular PC Pro reader using any of these; you obviously know better than that. But what’s the situation when it comes to PINs?
Picking a PIN
Personal Identification Numbers (PINs) were once solely the province of hole-in-the-wall cash machines, but the advance of technology, along with a superficial nod towards better security in all things, has changed that. Now we need to provide PINs when making credit card payments, when banking online, to access our smartphones and tablets, and even with some "ultra secure" USB memory sticks that come with a PIN entry-code system built in. The trouble with PINs is that they suffer the same problems as passwords when it comes to their popularity-versus-insecurity ratio.
A security company analysed more than three million PINs, extracted from the same kind of stolen password files – wherever a password was found that was a four-digit number, it was extrapolated that the usage patterns of that password would apply equally to the choice of a similar PIN – and it discovered that the top 20 most common PINs were used by 27% of all users.
Given that most, but not all, PINs are four-digit codes, you already have a one in 10,000 chance of guessing it correctly first time, and that reduces to 1 in 3,333 given three guesses, which is fairly common in banks and mobile networks alike.
with a 4 digit code by the time you have eliminated all the common ones there isn't many left so not much use.
HSBC with their code unit that generates a random code every time used is a very good system that if used for cash machines instead of just for online banking would reduce the cash machine frauds as the thief would have to steal the unit as well as your main code to be any use for getting money out of machines.
By curiousclive on 20 Jan 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Will HP finally split into two companies?
- Chromebooks get version of Photoshop
- Toshiba beats retreat from consumer PC market
- Ellison steps down: but who's really running Oracle now?
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports