Schneier on Security
A blog covering security and security technology.
« Covert Communications Channel in Tarsiers |
| John Nash's 1955 Letter to the NSA »
February 21, 2012
"1234" and Birthdays Are the Most Common PINs
Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson:
Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
EDITED TO ADD (2/22): News article
Posted on February 21, 2012 at 7:36 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The lesson for card-issuing banks is to implement a denied PIN list"
What? It's far better to have slightly more guessable PIN than it is to encourage people to write the bloody things down.
This is like passwords, my first reaction to any site with a password policy is to write the thing down. My second reaction, is not to use said site for anything I care about.
This leaves me wondering about the use of someone else's birthday as a PIN. Since you probably won't have that b'day written in your wallet, does this ameliorate the problem?
Funny thing, in my country, the banks are, in the last one or two years, all starting to offer user-settable PINs. They tout it as a great advantage, used to be that all PINs were random. Oh well, I stopped expecting common sense from the banks a while back.
Note to self: use PINs out of the 0100 - 3199 range. Thieves may keep guessing my (or someone else's) birthday all they want.
Sorry, the first thing that came to mind was: "That's the same combination on my luggage!"
@Bob It's a four-digit number. People can remember four-digit numbers. (They can usually remember seven-digit numbers, and at least one nine-digit number).
... I'm with the Better Not Random or They *Will* Get Written Down party. Banks make the perfect trade-off: Picking your own PIN is a major increase in ease-of-use, apparently trumping (in my experience with both sides: with regat distance) the lock-all-down-tight argument. Indeed, blacklisting certain numbers only makes PINs *more easy* to guess...! I suggest not allowing any number that may represent YY, MM and/or DD in any order. Ah, which leaves the default PIN anyway.
If only users wouldn't pick PINs that they have written down on their birthday-carrying other IDs...
Or make it mandatory to use your wedding anniversary date. No man can remember that, in the first place.
Which makes it mandatory to call your wife (if you have one!) before you PIN your new Porsche. Your wife may not give full 'authorization' to do that in the first place, if seconds before you have to explain that you need your anniversary date and didn't remember.
@Jurgen: you're forgetting those husbands that *do* remember it, but will pause after telling it to you to wait for FDR to finish intoning "a date that will live in infamy"
But I'd say "1234" is much worse than a date, as it can fail to a card skimmer alone. to get birthdates you have to know the person or steal a whole wallet.
While it removes "bad" PINs such as 0000 and 1234, doesn't instituting a blacklist reduce the already very small pool of 4-digit PINs? If this is the solution, then the blacklist should be personalized, and based on what the bank knows about the customer (aka, the bank won't let you use your birthday).
Seems to me like a better solution is to allow PINs that are arbitrary length, with the only constraint being a maximum number of digits (the maximum being much higher than 4). I know some banks (Bank of America) already allow PINs that are longer than 4 digits. Combined with a personalized blacklist enforced by the bank (no birthday, no SSN, no personal telephone number) and you should be pretty safe.
I thought I'd just look through my wallet to see how many of my cards have my date of birth on - out of 13 cards (a mix of credit, debit and membership cards, and two donors' register cards), and found a grand total of zero. The only dates were commencement and expiry dates, and I think that all but the very stupidest avoid re-using those as PINs. So perhaps the birthday issue is a little over-stated.
@Toby Speight: No license or ID? Or is your license/id not used for proof of age?
Do you live somewhere that lacks age-restricted places or lacks age-restriction at places like night clubs or bars?
As a 12-year-old once pointed out to me: OF COURSE bad passwords are the most common ones. The whole point of having a good password is that you're the only one who is using it. So if you sort by how frequently a password is used, the only ones that will show up more than once are the bad ones.
When I got my first debit card, about 14 years ago, I was informed I could use a PIN between 4 and 8 digits long. I chose an 8 digit PIN. But when it came time to use it at a POS terminal, I found that almost all POS terminals accepted a maximum of 4 digits. Only one POS terminal out of all the many which I tried would accept 8 digits, and only a handful would accept 6. So I went with a 4 digit PIN. (Never had trouble with a long PIN at an ATM.)
I've never had a financial institution which did not allow 8 digit PINs. But POS terminals that would accept more than 4 remained rare (in the areas I lived in) until about 5 years ago. These days my credit union requires 5 digits minimum, and it's been about 3 months since I encountered a POS terminal that would not take my 6 digit PIN.
I have yet to read the whole paper to see if this is addressed, but it would be interesting to see some statistics when working specifically with the number of pins that fall in the 365 date range. I feel as though this would be very large number of pins. While this is a decent subset , it would make brute forcing possible even if there are timeouts on failed attempts after x tries.
I am surprised that some banks allow customers to choose their pins.
I don't think I've been able to do that in over a decade.
@NoOne: "No license or ID? Or is your license/id not used for proof of age?"
UK driving licences are too big for most wallets, and you get two weeks to fetch it if stopped driving, so most of us don't take the risk of carrying an important, easily losable document on the person.
I certainly can't remember having to prove my age for anything since I was a student (in fact, AFAICR, since before I left school to become a university student), so that hadn't occurred to me. Mind you, I do recall from my school days that borrowing a driving licence as evidence of a different age worked quite well, provided one could remember exactly which birthdate one had on any given night! I think a lot of pubs started requiring a passport or a dedicated "proof of age" card, with a photo on it, but not when I was a lad.
1234! That's the same as the combination on my luggage! (to paraphrase Spaceballs).
I was able to memorize my 4 digit pin easy enough, and it was a bank-assigned one. Of course, when I picked my own pin a while back, I used the trick of associating each number with a letter of the alphabet, like what you find on a telephone, and chose a word to help remember it. Of course, I chose a word in foreign language to make things a bit harder to dictionary attack...
@bob: "it is [bad] to encourage people to write the bloody things down."
That strongly depends on your threat model (and also on what you do with the piece of paper).
@Random832 That depends on how many of the damn things you have. With credit cards all now chip-and-pin in Canada, that's one per credit card plus one for your debit card.
It's very useful to have the ability (default ?) to have a random PIN, but also to be able to choose it, so that you can share PINs between cards.
How much time & money (and really big words) was spent figuring out the obvious?
This isn't a password for a website that you're keeping in your pocket. The PIN number written down on a piece of paper in the same wallet as the card is a huge risk.
@Random832, @Chris Brand:
A human might be able to remember a bunch of PINs, but no human is capable of memorizing all of them at once when he loses his wallet and needs to be issued a new set of cards.
Happened to me last year :-/
Researchers ALWAYS have to make recommendations. When there aren't good ones, they pick obvious ones, consequences be damned. And experts, supposedly with brains, education, and experience, don't think beyond "how do I end this paper?"
Obvious recommendation #1 -- disallow PINs that could be dates.
Security flaw: reduced search space (easier cracking).
Obvious recommendation #2 -- disallow free choice.
Security flaw: PINS get written down (access), and PINs get lost (impersonation, interception).
Unacceptable conclusion #1 -- PIN users selecting "special date" values are another reason why a PIN system is very poor security needing replacement.
("Special dates" problem know since day -1.)
Unacceptable conclusion #2 -- A PIN system replacement must be very convenient and user friendly or it will be compromised by users just as the PIN system.
(Historical fact that PIN systems were implemented strictly to mollify consumer resistance against magnetic card systems.)
Unacceptable conclusion #3 -- Migration from PIN systems won't occur until both PIN system providers and users directly experience the total loss from PIN system failures.
(Even if banks/insurers are made responsible for all losses associated with PIN system failures, it may still be cheaper for institutions to maintain the PIN system. Consider that today most banks will eat most transactions made with stolen credit cards.)
@Random832, you assign people too much brain power, especially older folk who have difficultly learning/retaining any seven digit number.
How exactly do you disallow PINs that could be dates? Assuming 4 digit PIN, what if my birthdate is June 7, 1944? Now 6744 is a very reasonable PIN form of that date.
Any 4 digit combo could be a date.
Now if you are talking about the bank knowing your birthday, and not allowing the obvious forms( 6744, 4467, 4406, etc.) of that, then you have probably helped the situation. But there is no obvious way to filter out all 4 digit pins that might be dates, without filtering out all PINs except 0000
@Toby Speight: Well, that makes sense then. In some states in the US it's either a misdemeanor or civil infraction to drive without your license on your person. In a subset of those any fine or result is waived if you produce your license at a later date appropriately. In Texas, I believe, they do the reasonable thing and just look up your license in the computer.
I'm somewhat surprised that the UK doesn't do any age verification for purchasing cigarettes or alcohol in stores though.
We always tell them what not to do (don't write it down, don't pick easy ones). We need to tell them how to create a pin that isn't common and is easy to remember.
I often suggest the last 4 digits of your home phone as a kid (assuming it is not the current number) or your grandmother's phone, etc.
I am a webmaster for a low-tech webserver. As such, I am not concerned with protecting any given account but rather the site contents as a whole.
I have to create all the passwords myself and issue them to the users. I use a 12-char length with minimum of one each of the four food groups (and no declared maximum although I would probably spin the wheel again if more than 6 were special characters simply due to the difficulty of making myself understood when issuing them.) Cheap brute-force technology has probably overtaken me again and it is once again time to lengthen (I started with 8 and moved thru 10 to 12 over the years). Interestingly, the resistance of the users to longer passwords seems to me to increase logarithmically with length. When they were 8 long people seemed to be waiting for more characters, but at 12 I get a lot of people interrupting me cause they think I am done at ~10.
I know for a fact that there are -ZERO- weak passwords on my server because I essentially vet them all. But I am equally certain that almost ALL of them are written down SOMEWHERE.
I must concur with Paeniteo, whether writing "it" down is acceptable or not depends on the threat model. I find it perfectly acceptable to write it down inside an encrypted password vault granted certain measures are taken (I.e. A good password not written down; oh, wait...er...). :o)
Even a sticky note stuck to my monitor depending what it is :)
Toby is clearly over the age of 40 and hasn't moved house in 10+ years (or is committing an offence of not updating his licence). Since the mid 90s in the UK a PVC (now polycarbonate) driving licence photocard is issued along with your paper 'counterpart', together they form the full licence. The paper bit is the bit that gets endorsed with points for speeding tickets and you need it to rent a car.
I'd guess most people under 40 now have photocard licence, but as the paper licences don't expire until you turn 70 and you only update them when you move many people who are middle aged and settled have not updated to a photocard. There are occasional murmurings about recalling paper licences, but I doubt it will happen because Toby's demographic are low risk and it would be a big expense for little gain.
it has been mentioned before, but yes, unless the filtering system removes all combinations of ones birthday digits, what are the odds that a random assignment to a given customer will be.....his birthday?
Clearly the less popular PINS are harder to guess so just require everyone to use the least popular.
Personally, I think the gripping-hand question here is why in nineteen purple hallucinatory hells are we still using four-numeric-digit PINs at all, let alone online. Let's face it, we are never going to get realistic security out of four numeric digits, and screening out "unsafe" combinations only makes the task of guessing a PIN from the remaining sets easier.
It's time to abandon PINs and devise something better.
(Afterthought: See also CAPTCHAs, which at this point are frequently easier for computers to solve than they are for humans.)
When my bank first offered the ability to choose my own PIN, they also allowed it to be up to 12 digits. So clearly, this is not beyond the range of feasibility. However, I no longer see PINs that long offered; presumably, either some merchants (or ATM owners?) or some banks have decided it's not worth their while to be that flexible.
Perhaps the law needs to make them rethink that. That would avoid the need for a bank to insist on choosing your PIN for you. (I suggest that banks then adopt a new standard: you can have a 4-digit bank-chosen random PIN, or one of your own which is at least 10 digits -- each customer chooses which.)
The problem is all the terminals and ATMs that exist (and there are more than one might think) that wont accept pins longer than 4 digits.
@No One: "I'm somewhat surprised that the UK doesn't do any age verification for purchasing cigarettes or alcohol in stores though."
You cannot conclude that they don't do "any" verification.
You can conclude that Toby obviously looks old enough that they believe he is of the appropriate age without showing ID.
I, personally, find these "everyone must show ID" policies soooo ridiculous, but they probably result from a combination of several legal peculiarities in the US (and other states where similar policies are common).
The only logical recommendation from the research is to recommend that consumers should not use a PIN that can be found in their wallet. Writing down a wrong PIN could be a great defense against attacks as it very likely will be one fruitless attempt for an attacker.
I've seen several times proposals to extend the PINs to 6 digits to avoid this kind of trouble... but it would be the same - I'd change mine from 1311 [*] to 131170 and it'd be the same issue.
Of course, any idiot would still set "123456" in his luggage or planetary shield.
Another problem is that it would increase a false sense of security, while most attack vectors would be unchanged (MITM being the prime one here - yeah, I saw that once in a local bank).
[*] Not my actual pin. :-P
Man! All these comments and no one has mentionned that, according to the very factual 'The Simpsons', Julian Assange's password is '1234'...
@Ben, even the most restrictive blacklist (don't allow two of the same digits, two consecutive digits in a row, anything that could be a date, or anything that could be a year [1000-2099]) ultimately ends up just reducing it to a fourth of the keyspace size - which, if you've got the ability to brute force that, you only need four times as long to just brute force the whole set.
Bank of America allows PINs longer than 4 digits, but many of their employees will tell you 4 is the limit if you ask. I happen to use 8 digits, picked as two sets of 4 non-random digits based on information from two widely separated periods of my life that no single person (old or new friend, family member) will know.
I usually use either my employee number from some company I've worked for (or someone else's emp number), or part of the zip code or (previous) region code for some place that I like but no one except my husband would know the connection to.
I hate the bank or mobile phone company provided pin codes that can't be changed - when you have a longer list of those it's a pain to remember them, so they tend to be written down in some form. Masquerading them as some other code or part of phone number works fine, until you forgot which thing is the code for which. The chances of me remembering a dozen random numeric codes for phones and banking pins is... well, I don't even remember my social security number.
@No One, @Alex,
for one thing, alcohol is limited to people over 21 here in the States. I assume that the age limit is much lower in the UK. The use of drivers' license as photo-ID for drinks is the reason that most young adults learn to keep it with them all the time.
Though most first-time drivers also like to have their license handy if they encounter Police.
I do find it odd that DL's and the carrying thereof are so infused into the culture of the USA.
Per PINs, I've sometimes used my birthdate in European fashion (DD-MM), which is kind of useful against birthdate-guessers who use the American fashion (MM-DD).
This is more effective if the 'DD' portion of the birthdate is greater than 12.
Or, I could transform the two 'DD-MM' numbers into octal, and use those digits instead of their decimal equivalents. This puts me into a narrower search-space, but destroys the most-familiar pattern for guessers to play with.
Still, neither of these methods are very good against scripted attacks. However, any search space that is size 10^4 is hard to defend against scripting attacks.
Easily guessable PINs aside, why would four digits be inadequate? I have to assume (although you know what they say) that there is a lockout mechanism after so many incorrect guesses.
Among the small fraction of cards that are stolen, only one in a thousand or so (depending on the lockout limit) might be successfully used to get cash. And then, the amount would be subject to daily transaction limits.
Lets say, very conservatively, that in a year, 1% of cards are stolen, and 1/1000th of those are able to be used to withdraw a limit of $1000 before the card is deactivated. A totally unbreakable security system is then only worth $0.01 per cardholder.
If there is a flaw, it is not because PIN's only have four digits.
For the folks reporting issues with PINs longer than four digits, I have Bank of America, and a six-digit PIN (as a matter of fact, they sent me a six-digit initial PIN), and have never had any problems using it at any POS machine.
Quite amusingly, when I got my new card, and the PIN for a while was the reverse of the one they sent me. After a few months, during a conversation with a co-worker about PINs, she was talking about hypothetically using her birthday as her PIN and rattled it off. It was the same PIN I was using from the "reverse the default" one. Of course, I was forced to change it because I immediately blurted out "Whoa, that's my PIN."
Why do people use 4-digit PINs? Every ATM I've used in the last 5 years accepts the 6-digit PIN for my main card, including ATMs in countries in Africa and South America.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..