On a slightly different note rated to the XkCD comic, Irish police in 2005 started a manhunt for a serial and prolific traffic offender - they knew he was Polish, his name was "Prawo Jazdy" and he had committed over two hundred speeding offences across the country.
Eventually they got a Polish officer through Interpol to help. On his first day on the case he asked - why are you looking for a guy called "Drivers License"? Cops had simply stopped ordinary traffic violations, and wrote down the name from the international license that was where you usually saw the name on national licenses.
To be fair, are there any Welsh people who don't speak English? Having road signs in Welsh seems like a purely political requirement, not a functional one.
My bank issues a PIN which is not of my choosing, and since it's a smart card to change it means actually going down to the bank to select a new PIN. I think the majority of people never do this, so it seems like a great way to counter people selecting "1234" or their birthday.
At some point I'd really like to see six to eight digit PINs, though...
Apparently (urban myth time) the bank issued pin is a hash of your bank account number plus some other details that are known without an expensive core database lookup.
This way your pin can be verified without needing to call back to the central bank core - the ATM cloud can just move straight on to transactions.
It may save a lot of cash it may be a myth - anyone got details?
I worked at a bank, I did code for generating PINs. I can tell you the urban myth is incorrect. Perhaps a single bank did it, but it sure isn't industry standard.
Yeah, but then you have to make the lookup anyway, to check if they did change it. You might as well just authenticate. Unless the original PIN always works, which is not secure.
I think the changed PIN is stored on your card as an offset. When you enter your pin, both the offset and the code you entered are transmitted, so they always validate agains the original, non changed, PIN.
My ATM won't complain about an invalid pin until it actually communicates with the bank, at the very end of the transaction (after choosing checking/savings and the amount).
Every ATM in the UK I've used in 1.5 years did that. Makes sense. Why send 2 requests (confirm PIN -> initiate transaction) if you can combine it into one without losing anything?
Same here in the Netherlands. I don't think I can change mine at all.
This has however resulted in me forgetting it several times, once I almost got stranded at a station and was lucky to have enough cash to buy a ticket.
I won't tell you what I've done to mitigate against being stranded at random places due to forgetting my PIN but it's not secure. Therefore, I have my reservations about forcing people to remember random numbers.
So I have 1 secret 4 digit number that I use to encrypt all my other pin numbers by adding it to them using modulo 10 addition. I then write the resultant 4 digit pin on the back of the card. I've been doing this for well over a decade since seeing it in a book about encryption.
Without it I'd have needed to have been issued with new pin numbers many times
Interesting. If you chose a pin for your card that was the result of modulo arithmetic with some part of the card number (last four digits, for example, but perhaps something more obscure), you would have to write on the card at all.
You probably wouldn't want to do that: If the pin was somehow compromised, then the attacker would likely try the same compromised pin number in other places. Using different pins for each service avoids this attack.
Ooh, that's neat. I use a similar system, though mine permits several possible ways to encrypt a number and I usually pick an encryption with 5 or 6 digits. It doesn't require me to remember anything but the algorithm, so I don't feel comfortable with sharing it. I know it might be less secure than encrypting the pin with another pin, but I can't trust myself to remember any pin.
My bank (in Germany) just recently introduced a feature on their ATMs that allows you to easily change your PIN.
I think it's pretty obvious that's a bad idea, given all the huge posters also hanging everywhere in the bank, sternly warning people not to pick a dumb PIN. I'm sure that'll work.
4-digit PINs are easy to remember. It's real simple to always come up with some sort of mnemonic. There is no need whatsoever to pick your own.
> Whilst the default length is 4 digits, you can change it to something longer if you choose.
Not really. You'll break international standards if you do. I used an 8-digit PIN for many years, but it is 100% impossible to use anywhere I tried in Europe. You will be completely without any way to pay other than cash. No machine will allow more than 4 digits in my experience.
How long ago was your experience? This may explain why (over the past 5-10 years or so) I've encountered more and more machines that require to press OK after entering the four digits (before, some machines would submit after you type the fourth, without confirmation).
When dealing with 'foreign' ATMs (whether domestic or foreign), my pin is sometimes truncated -- anywhere from 8 to 4 digits.
I've also come across ATMs where it won't work.
Bank of America advises you to change it to a 4-digit PIN before traveling internationally (and actually have a paper handout they'll give at the teller window saying such if you tell them you're traveling internationally.
You can do up to 6 in Canada. Nobody ever told me, but when I was signing up at RBC I accidentally typed 5 and it worked. Now I know why they don't deterministically say 'OK, he's done' after you hit four digits.
Watch out! I also live in Canada, and a close friend of mine while travelling was frozen out of his accounts because there were no banks that could handle 6 digit pins there.
In China, 6 digit pins seem to be the norm - sometimes I can't take money out on my international card because my 4 digit pin is deemed by the machine as too short/invalid.
I had to get a new debit card relatively recently (was robbed) and it came with a 6-digit PIN not of my choosing (Bank of America). Just saying, they now exist.
He quickly glossed over the fact that these are computer passwords which happen to be 4 numeric digits.
"Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes."
Though there probably wouldn't be drastically different phenomenon, I think the actual PIN distribution would be noticeably different. Particularly 1234. It may still be the top PIN, but I don't think it would have the same dominance. People choose trymynewwebservice.ly passwords a lot more callously than their bank password. I have to believe on average people put a little more effort into disguising it.
I wonder about the 2580s (vertical numbers on a PIN pad). It makes perfect sense for PINs, but not a computer keyboard. It could be people keeping their passwords consistent with their PINs e.g. using their ATM PIN for their online bank account password.
A lot sites (correctly) prevent people from using very short or simple passwords, including four digit numbers. I'm curious what sites his database comes from.
Wow, it's worse than I thought. Rockyou doesn't allow 4 character passwords so they were extracting the numbers from WITHIN longer passwords. 'asdf1975' would equate to a 'pin' of 1975, or 37489 would equate to two pins, 3748 and 7489. What a terrible assumption to build all your research on top of.
The paper is quite clear about the methodology used, they only extracted exact 4 digit sequences. I repeated that much of the analysis, I wanted to examine the patterns, not just look at the frequency plot. I got the same ~1.7 million sequences using a regex that excluded 5 digit sequences.
Please. Stop it already. The 'N' in PIN stands for Number. If you say 'PIN Number' you're really saying 'Personal Identification Number Number'. Same with ATM Machine, HIV Virus etc.
A database of of 4 digit passwords is not suitable as a replacement for PINs. Especially not for anything called a fucking analysis.
Banks don't let you choose 4 consecutive numbers or 4 of the same number making his first conclusion completely invalid. A lot of banks assign pin numbers now making the rest of his conclusions invalid.
I get wanting to analyze PINs, it's interesting, but pretending any old data that looks similar will work is misleading, disingenuous, and half ass.
> Banks don't let you choose 4 consecutive numbers or 4 of the same number making his first conclusion completely invalid
I'm not sure where YOU live, but there's a WHOLE would out there. In New Zealand, you can choose anything you like on the number terminal they give you. They try to educate you on a good PIN, but it's ultimately up to you.
Interesting analysis but I don't understand the obsession with randomness of the PIN and such.
Unlike 80s there are many counter measures to defend against brute force attacks. No one is going to sit down and guess/brute-force your PIN. Probably not even your other passwords.
It's either going to be fully exposed or not at all, so how random or complicated it is doesn't protect you as much as most people make it sound like
Well, yes and no. I actually mostly agree with your point, but just to play devil's advocate:
When we talk about secure passwords (Not PINs for the moment, I'll get back to those in a moment), we're mostly worrying about how easy it is to recover someone's password from a database once a system has been compromised. However these days, we don't store the password, we store a hash of the password. To recover the password, the hacker has to successfully 'un-hash' the hashed password, which is done by applying a brute force cryptographic algorithm. The computer detects hits by examining the frequency of letters in the output, knowing that letters don't have an even distribution in passwords (or any other text). Choosing a random password is actually useful in this case, because even if the computer correctly finds the right key for de-hashing, it doesn't recognize your password as 'de-hashed' and just passes right over it.
So, for passwords, it is fairly clear that a random password is going to be safer than a word / name or other commonly used password constructs, in its ability to resist extraction from a compromised database.
Can we make the same claim for PIN codes? It would be harder - you only have 4 digits to work with, which makes it much harder to determine if digits are distributed in a pattern or randomly. You would expect a lot of false positives and false negatives. Nevertheless, distributions in real life numbers do exist - http://en.wikipedia.org/wiki/Benford%27s_law is an obvious example, which leads us to the non-obvious conclusion that making PIN codes longer probably leads to a lower level of security. On the other hand, the scenario in which this is a problem is when a database is compromised, and bank databases are amongst the most hardened targets on the planet, so the increase in risk is probably negligeable.
" Choosing a random password is actually useful in this case, because even if the computer correctly finds the right key for de-hashing, it doesn't recognize your password as 'de-hashed' and just passes right over it."
That's assuming someone is trying to brute force a system 'from the outside', without having access to the list of password hashes for the system. In reality such attempts rarely if ever happen and they are easily defeated by using rate limiting and other techniques.
The problem arises when the attacker has a list of hashed password and is running checks against that list. In those cases, the fact that a password is random won't do any good as the program knows which password hash it is trying to crack.
Furthermore, there is no "de-hashing". Password cracking software is actually hashing commonly used words, letter combinations and/or even random characters, and comparing the output of the hashing operation with the password hash that it is trying to crack. Cryptographic hash functions are unidirectional and cannot be reversed, you can only try to hash raw data and hope to produce a hash which matches the hash you're trying to "reverse".
You're talking about rainbow tables. They aren't used very much anymore, since the salting of hashes has become commonplace.
As for your idea that hash functions can't be reversed, not so much. They can't be easily reversed, but that's not the same thing.
In reality, brute forcing is pretty much the only viable attack left now that salting is commonplace. Still, if you have managed to get your hands on the password table, you can brute force without having to worry about rate limiting etc.
I'm going to need a citation for what you just said because it sounds like you have a really messed up view of how cracking passwords works. Strong passwords aren't strong because they fool the computer by not looking like passwords. Wtf?
Someone who tries 1234, 1111 & 0000 on each before the bank locks him out, he's got a 18.6% chance of getting into each one of them which is 1/5.37. Therefore if someone steals just 6 cards they will likely get into one of them (and most likely exploit it for as much as they can).
Now, if my card got stolen and I hadn't realized it till a few hours later, I'd be glad my pin wasn't 1234. Also, even if I get the money back from the bank, I won't get the time hassling the bank/insurance or the stress back.
This is an interesting look at the data but some of the inference isn't quite there. The author uses the relative prevalence of the pattern 2468 over 1357 to justify the conclusion that people prefer even numbers to odd, completely ignoring the pattern-based analysis he just used to understand the prevalence of 2580!
Passwords and PINs are not the same thing (at least in most places).
In my company (credit card company) and in most competitors the PIN is a random number generated when the smart cards are being written. Sequential, repetitive, years, et al are all discharged. PINs can be used as a password for transactions. Because my company focus on low-incoming families, this is actually great, they don't need a phone or website to create/change passwords. The problem here is delivering the password securely.
There are banks that do not use PINs at all, the password is stored in their database. This is usually better because if you loose a password you can reset it. This isn't possible using PINs. They are hardwired in the smart card and cannot be changed.
PINs cannot be changed or chosen, if you can change, it's not a PIN, it's an awfully insecure 4 digit password.
Because we all know this, it's just stupid to let people to select PINs. It's much better to pre-assign completely random PIN. As most banks in Finland do.
Based on properly working random number generator, I would say that 1234 is exactly as common PIN as any other PIN number.
Is there a link anywhere to the full set of totals, so I can lookup my PIN and see how common it is? Surely that would be the most useful takeaway from this article?
Eventually they got a Polish officer through Interpol to help. On his first day on the case he asked - why are you looking for a guy called "Drivers License"? Cops had simply stopped ordinary traffic violations, and wrote down the name from the international license that was where you usually saw the name on national licenses.