How to choose a safe PIN code
Posted on 11 Jan 2013 at 15:13
Davey Winder reveals how to choose a secure four-digit PIN for online banking and websites
One of the better things to emerge from the aftermath of any massive data breach is the research value of the data that’s sold on the dark market (and often published for free somewhere within the hacker underground soon after).
I’m talking about the likes of the Yahoo breach last year, which left 400,000 plain-text passwords exposed; the LinkedIn breach, which published 6.5 million unsalted SHA-1 hashed passwords; and the Sony PlayStation Network breach with 100 million records, including login data, stolen. These three together account for a pretty impressive password research pool. By analysing the password databases that were stolen, it’s possible to determine the most commonly used – and therefore the most insecure – passwords out there.
The top 20 most common PINs were used by 27% of all users
Most are insecure by dint of being so common that they’re included in every dictionary attack, even though they’re not dictionary words. The 14 most insecure passwords have remained consistently so over the 20-plus years that I’ve been in the IT security business (on both sides of the fence) – namely password, passw0rd, 123456, 12345678, 111111, iloveyou, qwerty, dragon, pussy, letmein, abc123, baseball, football and trustno1.
I’d be absolutely amazed to discover any regular PC Pro reader using any of these; you obviously know better than that. But what’s the situation when it comes to PINs?
Picking a PIN
Personal Identification Numbers (PINs) were once solely the province of hole-in-the-wall cash machines, but the advance of technology, along with a superficial nod towards better security in all things, has changed that. Now we need to provide PINs when making credit card payments, when banking online, to access our smartphones and tablets, and even with some "ultra secure" USB memory sticks that come with a PIN entry-code system built in. The trouble with PINs is that they suffer the same problems as passwords when it comes to their popularity-versus-insecurity ratio.
A security company analysed more than three million PINs, extracted from the same kind of stolen password files – wherever a password was found that was a four-digit number, it was extrapolated that the usage patterns of that password would apply equally to the choice of a similar PIN – and it discovered that the top 20 most common PINs were used by 27% of all users.
Given that most, but not all, PINs are four-digit codes, you already have a one in 10,000 chance of guessing it correctly first time, and that reduces to 1 in 3,333 given three guesses, which is fairly common in banks and mobile networks alike.
with a 4 digit code by the time you have eliminated all the common ones there isn't many left so not much use.
HSBC with their code unit that generates a random code every time used is a very good system that if used for cash machines instead of just for online banking would reduce the cash machine frauds as the thief would have to steal the unit as well as your main code to be any use for getting money out of machines.
By curiousclive on 20 Jan 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- The best Android antivirus apps for 2014
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?
- Microsoft slashes custom XP support price
- Ubuntu LTS Server 14.04 extends cloud support
- Intel: PC sales are "encouraging"
- Google to rank encrypted pages higher
- Heartbleed: the race to reissue security certificates
- Dropbox boosts app line-up with Carousel and Mailbox for Android
- BlackBerry CEO says not selling off phones "any time soon"
- Microsoft halts business downloads of Windows 8.1 Update
- Raspberry Pi targets business with Compute Module
- Microsoft releases final patches for Windows XP