If you're wondering why 1004, a seemingly random number, is so close to the top of the list -- something that the author does not investigate in any detail -- my guess is that the database he used contains some major leaks from Korea. 1004 is a fairly popular password there, because it is one of the few 4-digit numbers that sound like actual words in Korean. 1004 sounds like "angel" (cheonsa).
So if you're actually trying to break into people's accounts, it would be advantageous to know your victims' ethnicity. It's quite likely that cards stolen in Koreatown will have a different distribution of PIN numbers than those stolen in Chinatown.
Interesting. When you say 1004 'sounds like angel', do you mean saying 'one thousand and four' in Korean sounds like cheonsa? or 'one zero zero four'? Or the numbers look like letters than spell out angel?
/ tangent
It's read "one thousand four" in US english. In British english (and in many Commonwealth countries like Australia and New Zealand; not sure about Canada) it's read "one thousand and four", regardless of whether the and is unnecessary or ambiguous.
Admit I don't have strong feelings either way but out of genuine curiosity, why is one thousand four less ambiguous than one thousand and four?
You could argue one thousand four is actually easier to misinterpret because it could easily (although incorrectly) be read to mean "one thousand fours."
For what it's worth, the "and" is mandatory in my language and we manage to disambiguate 100 2/3 from 102/3 by putting a pause between either "hundred" and "and" or "two" and "thirds".
100 2/3 - one hundred ... and two thirds
102/3 - one hundred and two ... thirds
Alternatively, use "plus" instead of "and" in the first case.
Surely that comes from the same language structure which means you wouldn't say beans and eggs and tomatoes and potatoes, you'd say beans, eggs, tomatoes and potatoes e.g. in a list of "and" items you only say and between the penultimate and final items?
When I opened my Wells Fargo checking account, they let me choose my own PIN number for my debit card. I was quite surprised, because previously other banks always sent me a 4-digit number that I had no influence on.
I became even more surprised when I was told that I don't have to restrict myself to 4 digits! So, I entered a sequence of 12 or so digits that I happen to be able to remember easily but that otherwise follows no patterns as e.g. the ones mentioned in this article.
I thought I was so smart!
Except when I later found out that a lot of card readers in convenience stores accept a maximum of 8 digits for card PINs :-( I can't use my card there. So much for being a paranoid computer scientist...
I have to say, I've really liked some of the posts on this blog. The comparison of monte carlo and markov models of Chutes and Ladders[1] is very intuitive. I think it's a great way of understanding forward vs backward statistical reasoning without falling into the usual borderline religious divides.
that's an interesting article that shows the difference between markov and monte-carlo approaches, but it seems to be incomplete. in particular, although it claims it will calculate an exact solution (just after the "Markov Chains" subtitle) it never does; the example uses repeated calculations and stops at some point to give an approximate answer. am i misunderstanding something?
And why do banks (or credit card companies) even let users pick their own PIN codes? Wait, do not answer that, I know. Some beancounter has calculated that the cost of somebody guessing PIN is significantly less than cost of support calls when people forget their random PINs. Which kinda sucks that security is compromised to make more profit.
For reference I have (afaik fully random) bank-assigned PIN on my card.
I opened an account at Citizens Bank, who did not let me choose my pin code. It went something like this.
Received card, no pin, called, sent new, recieved card, no pin, pin came 2 weeks later.. for the first card, no pin for second card, third attempt nothing was sent, went to the bank, they told me I had to call, gave up after 2 months, over the next year they sent me several new cards (security breaches?), but I never had a pin to activate them.
One year later they change their terms and contions, impose new fees, deplete my checking account, deplete my savings overdraft account, and then send me to collections... all for opening a couple of accounts and depositing a few hundred dollars.
>And why do banks (or credit card companies) even let users pick their own PIN codes?
Sure the PIN sucks, but ATM security is actually two factor, something you have and something you know. The cards can be duplicated, they've made good inroads on that but haven't rolled those cards out in the states.
Its an example of "good enough" security. Not only is the barrier to theft much higher than the cash next to it in their wallet, you only have a 30% chance of getting into their account before the ATM eats the card. If you do get in, you can typically only withdraw $300 and your face has been recorded.
Which kinda sucks that security is compromised to make more profit.
I find it kind of strange that you're picking up on this, do you not read everything on HN as a stream of soul-crushing money-first attitudes too?
In the UK, cards are issued with random PINs. I believe some have the facility to change them, but i would guess the majority do not. I was wondering this when reading the article; so I can take it to assume that in the US you define your own pin? How does that work, do you do it at the bank or a the ATM machine the first time you use it?
I'm not aware of any UK cards that don't let you change the PIN, just pop them into a cash machine and you'll find an option to do it on the menu.
Of course, my not being aware doesn't mean you can't, but I know from experience that most of the big banks let you do it, and I can't think of a single example of either me not being able to do it or me hearing of anyone else not being able to do it.
That could be true. But how many people do you think actually change their PIN? I think it's will be low single figure %; I think many aren't aware you can make PIN changes.
I only have anecdotes rather than data (suspect the same is for you), but personally I would have guessed that nearly everyone does. Obviously I don't know the situation of all my family/friends, but for example in my close family both parents and both siblings have always changed to PIN numbers they chose themselves, I've known colleagues go change their PINs after getting a new card, etc...
I suspect there's no way to know which of our guesses is closer to the truth without a bank providing stats, which seems unlikely to happen. Or a poll somewhere..
I don't have sufficient knowledge to say that you're wrong about this, but I DO know that the largest banks ALL allow you to change your PIN. Examples:
* Bank of America
* Chase
* Citibank
* Wells Fargo
Many banks apparently don't let you choose PINs; however from the limited sample of PINs I know of (mine, my wife, my company and a few others) they're not random; they all have doubled digits (like 2554).
It could be a coincidence. About half of all 4-digit numbers contain at least one repeated digit. (Of 10000 possible numbers, 10 * 9 * 8 * 7 == 5040 contain four distinct digits.)
I know it is best to use a full uniform distribution for assiging PINs, but I do not know whether any bank does it. Would they really dare send out '0000' to 1 in 10000 of their customers?
Interesting analysis, but I question the use of a proxy for the source data. I doubt that PINs like 1234 and 1111 are nearly as common when an actual bank is involved. At least, I would hope that people take their ATM PIN more seriously than a password for a relatively unimportant website account, but maybe I'm giving the general public too much credit.
That's one thing the article should have taught you: a large search space is worthless when, given the chance, customers restrict themselves to tiny parts of it.
You're sharing pins for electronic transactions? What the what? (I'm over the pond in Australia, and I've never shared any of my various pins with anyone.)
I wouldn't! A lot of people do though, it's the downside of a mostly cashless economy, but with the rise of internet banking and near-instant transfers online it should go away.
As someone who knows someone else's PIN: if they're too inconvenienced by making the payment themselves and don't realize what security it's meant to offer, they'll be quite content to hand the card and the PIN to someone they trust.
Additionally, if I'm reading this properly, it only includes people who chose numeric passwords when they could have chosen anything (presumably beyond alphanumeric even). This means that all of the folks who chose a password outside of the PIN ___domain (presumably because they know better) don't have their PINs represented here, and I'd wager that a better proportion of those numbers are beyond 1234, 0000, etc..
Thought it would be worth mentioning that the heat map appears to show people love using MMDD dates (and possibly MMYY, but harder to conclude from the data), as shown by the lower left heat intensity and the heavy usage of 0 and 1 as the first digit. In addition, the bottom 20 has no candidates that would fit into MMDD.
My PIN number is 8+ numbers long, and to my chagrin, I discovered in 2006 that most ATMs in Europe didn't accept anything more than 6, and most accepted only 4. I'm not sure if things have changed since then, but in the 5 countries I was in, the only ATM that accepted 8 was in Amsterdam, near the end of my trip.
This happened to me, too. For once, carrying travelers checks came in handy.
In Turkey, most ATMs accept my extra-long PIN, but very few have UIs designed to fit more than 4 digits. On many of them, the digits will continue outside of the form field and sometimes all the way off the screen.
I ran into the same issue while traveling in South America. Some ATMs would not work at all with my 8+ PIN.
Strangely, there was one ATM that accepted 4 digits and then automatically continued to verification of the PIN. I never got a chance to enter the rest of the digits, but it still passed verification and allowed me to withdraw.
I had a 8 digit PIN, but only the first 4 mattered to the ATM. The screen would blink after the first 4 numbers, too, to help you notice you already had it.
Then two weird things:
1. The bank got bought by someone else, and the new bank demanded 6 digits. I had stopped using anything past the first 4, but they were still the first six from the original form I filled out years earlier.
2. They sent me my full PIN in the mail. At first I was surprised by this, since one-way-hash and all that jazz, but on reflection one-way hashing a six-digit PIN is pretty silly.
I wonder if you could prepend your PIN with 0's. If the input is interpreted as a number, it might work. If they cast it to a string, it probably wouldn't.
I've been using 10 in Canada for several years now. I initially carried cash on me as I expected it not to work at a lot of places... So far I've only had one issue which was at a parkade. The payment machine only accepted six digits on debit cards.
The title is wrong and very misleading. There is no single mention of "bank" in the linked post. Hell, it even says that it was collected from random password leaks. It says
Given that users have a free choice for their password, ifusers select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes.
That's great, but your counter-claim isn't obvious at all. So please elaborate. Are you alluding to banks generally setting people's PINs for them, using more appropriate distributions? Or, God forbid, do you believe that users are more careful when picking sensitive PINs?
Are you alluding to banks generally setting people's PINs for them, using more appropriate distributions? Or, God forbid, do you believe that users are more careful when picking sensitive PINs?
Well yes, of course.
Firstly, Banks do set the pin first, and the vast majority of people probably never change it.
On your second point, for a bank I would pick a complicated pin and/or password, for some throwaway website/app/game account I'd choose something simpler and easy to remember, many people probably use the same pin for loads of services, but wouldn't use it for their bank for obvious reasons.
Most people have some perception of levels of security, even if they only have a binary concept of 'involves my money' or not, and trying to extrapolate from website logins for some unimportant data to banking pins which involve real losses for the user involved is not at all convincing.
> Most people have some perception of levels of security
We're just trading intuitions here, of course, but I'm virtually certain that people's sensitive passwords are as abysmal as their non-sensitive ones. Sure, you'd pick a good password; however, the mere fact that you're debating this point and that you know what password goodness entails tells me that you're not a helpful sample of the population in question (namely everyone).
I'm going to look into finding some data pertaining to this issue. What I'll definitely grant you is that the extrapolation isn't perfect.
Agreed. It's also worth noting that the dataset does not represent the general population, but only the people who use 4-digit passwords on some websites.
>Firstly, Banks do set the pin first, and the vast majority of people probably never change it.
That's certainly not the case at my bank. I live in Canada, so perhaps things are done differently here, but when I was issued my card they made me choose my PIN.
As supporting evidence, the author points to the high frequency of "2580", which is vertically down on a numeric keypad but not on a computer keyboard. That dissuades me from accepting your high level of disagreement.
It's not a perfect fit, but it's unsettling to me how close the leading PIN digit graph corresponds to Benford's Law ( https://en.wikipedia.org/wiki/Benford%27s_law ). You would think intentional human randomness would not fit this distribution.
The humans aren't being random. They're using numbers from sources in real life. A large fraction of the data points are years from the twentieth century as 19xx and a smaller fraction as 200x. MMDD or DDMM format dates also follow the Law in tending to lead with digits 0-3. Or consider the 2580 case or other patterns on the keypad, where the leading digit will skew towards the beginning of the digit-alphabet.
So Benford's Law will apply even on a data set that has no numerical meaning in itself, transitively from the real sources of the numbers.
> Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.
I would take this with a grain of salt. He doesn't say what exposed passwords he used as his sources, but I'd bet the linkedin passwords were part of it.
But a lot of people will knowingly use an unsecure password for a site like linkedin, because they don't really care if its hacked. Using a secure password for bank accounts, email, etc. is critical, but I don't think it's realistic to ask people to have unique, secure passwords for their account on forums.49ersfans.com. That just isn't going to happen. It's interesting, but I'm skeptical his sources are even remotely a good proxy for bank account PIN numbers.
Interestingly, I've never received a default bank pin in Ireland that wouldn't have 2 repeated digits in it. I have a theory they do this to make pins easier to memorise.
Last time I signed up to a new bank there was a box on the paper form for your pin number, which was then typed in a clear text field by the staff member setting up my accounts.
I stuck with my old bank who used a secure entry keypad so I could set my pin.
Which bank are you with? One of the few things that annoyed me about NBNZ was the utter lack of security with setting the pin and online banking password.
2580 seemed like a fairly obvious PIN choice to me, but I'm completely baffled on the significance of 1004 in position #6. It is neither easy to type, has no good geometric representation, and doesn't seem like a year/date/zipcode or any common number. Any ideas?
(I'd also venture that one of the reasons 2468 is so much more popular than 1357 is because of the nice symmetry that 2468 has)
In Spain, 1004 is the number to call the main phone company. It is usually associated to something bad, as you can imagine :-P but it is an easy 4 digit number to remember. Not sure if that is the case in other countries...
The only thing I could think of was Ubuntu version 10.04. I doubt that explains it. I thought any variation on that (1.004, 10.04, 100.4) might have some significance in popular culture, like the 42 has, but didn't find anything.
Seems like 1004 would be a pretty easily typed and spatially easy PIN to remember - http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/20... - poke your elbow out and place your hand over the keypad and it's middle finger, thumb, thumb, index finger. Quick and easy.
Perhaps this is a chance for a quick poll. I believe that every PIN number I've ever received from a bank in the UK has had a duplicated number. Some examples are: 1142, 4840.
As 'finnw has mentioned, almost 50% of 4-digit numbers have at least one repeated digit, so there is high chance of ending up with such a number. FWIW I have 2 UK cards from different banks where the PIN has no repeated digits. I suspect you're seeing a pattern where there is none.
Incidentally, codes with repeated digits make it harder to guess your code based on fingerprints, as there are more possible combinations.
4960 of 10000 4-digit numbers contain at least one duplicate. Also, the probability of getting a number that has an unusual property is, counterintuitively, as an old math joke states, 1.
So if you're actually trying to break into people's accounts, it would be advantageous to know your victims' ethnicity. It's quite likely that cards stolen in Koreatown will have a different distribution of PIN numbers than those stolen in Chinatown.