How to choose a safe PIN code

11 Jan 2013
Online banking security fob

Davey Winder reveals how to choose a secure four-digit PIN for online banking and websites

One of the better things to emerge from the aftermath of any massive data breach is the research value of the data that’s sold on the dark market (and often published for free somewhere within the hacker underground soon after).

I’m talking about the likes of the Yahoo breach last year, which left 400,000 plain-text passwords exposed; the LinkedIn breach, which published 6.5 million unsalted SHA-1 hashed passwords; and the Sony PlayStation Network breach with 100 million records, including login data, stolen. These three together account for a pretty impressive password research pool. By analysing the password databases that were stolen, it’s possible to determine the most commonly used – and therefore the most insecure – passwords out there.

The top 20 most common PINs were used by 27% of all users

Most are insecure by dint of being so common that they’re included in every dictionary attack, even though they’re not dictionary words. The 14 most insecure passwords have remained consistently so over the 20-plus years that I’ve been in the IT security business (on both sides of the fence) – namely password, passw0rd, 123456, 12345678, 111111, iloveyou, qwerty, dragon, pussy, letmein, abc123, baseball, football and trustno1.

I’d be absolutely amazed to discover any regular PC Pro reader using any of these; you obviously know better than that. But what’s the situation when it comes to PINs?

Picking a PIN

Personal Identification Numbers (PINs) were once solely the province of hole-in-the-wall cash machines, but the advance of technology, along with a superficial nod towards better security in all things, has changed that. Now we need to provide PINs when making credit card payments, when banking online, to access our smartphones and tablets, and even with some "ultra secure" USB memory sticks that come with a PIN entry-code system built in. The trouble with PINs is that they suffer the same problems as passwords when it comes to their popularity-versus-insecurity ratio.

A security company analysed more than three million PINs, extracted from the same kind of stolen password files – wherever a password was found that was a four-digit number, it was extrapolated that the usage patterns of that password would apply equally to the choice of a similar PIN – and it discovered that the top 20 most common PINs were used by 27% of all users.

Given that most, but not all, PINs are four-digit codes, you already have a one in 10,000 chance of guessing it correctly first time, and that reduces to 1 in 3,333 given three guesses, which is fairly common in banks and mobile networks alike.