Analysis of PIN Data

An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)

Posted on September 19, 2012 at 12:31 PM • 39 Comments

Comments

willSeptember 19, 2012 12:49 PM

this being numeric passwords, not pins?

The pin associated with your bank cards are usually random number assigned by the issuer.

(Wasn't there a story of how the IT staff at some UK bank - Barclays? - had actually made the system only generate one of three random pins; this meaning that a stolen card could be used before the system shut down?)

JospfSeptember 19, 2012 12:53 PM

Not in the US. You may get issued a temporary pin, but mine was picked by me.

The author of the article makes a few assumptions in using the data set, but I think they are sound and generally hold true. Check out his other articles as well, he makes data analysis pretty interesting.

Peter A.September 19, 2012 12:59 PM

@will: many banks worldwide allow cardholders to change their PINs anytime, some even require that the PIN is selected by the cardholder before first use in some kind of card activation procedure.

GavinSeptember 19, 2012 1:52 PM

I've been using a six-digit PIN at the ATM for the last 5 years or so without any issues.

Is there a reason to stick to just 4 digits?

FigureitoutSeptember 19, 2012 2:26 PM

In an ideal world, this data shouldn't even be up for analysis...

Odd that the least common 20 pins begin with either a: 0, 6, 7, 8, or 9.

The fouth most popular seven digit password is 8675309 (It's a popular 80's song).--That's hilarious.

I could (keyword "could") test "1234" at my gym which uses 4-digit pins on lockers. Or I could just ask the front desk to unlock "my" locker because I "forgot" my pin; never seen that happen multiple times....

mooSeptember 19, 2012 3:05 PM

1234? I'm boggled that so many people use such a stupid PIN! If you get mugged or pickpocketed, and your PIN is set to 1234, the thief is definitely going to drain your bank account too before you get around to cancelling the card.

People are so bad at risk assessment, they don't realize how badly they could get ripped off just because they were too lazy to memorize a four-digit number.

Most people can remember several phone numbers at least, and those are seven digits or more. And no phone number is as important as your bank PIN.. jeez.

RandySeptember 19, 2012 3:55 PM

I'm sorry, my eyes are bad. Could someone tell me if 7249 is a good PIN from that heat chart?

HmmmSeptember 19, 2012 4:30 PM

> I will only disclose data sufficient to make my points

Except you can extract the popularity of every PIN from the heat map... :(

JBSeptember 19, 2012 4:49 PM

PW != PIN.
If these are indeed PW's and not sourced from an actual breach of pins, I'd say it's a bit of a leap to equate pin security to a numeric PW that quite probably would just be a throwaway PW for a forum.
JB

Dave MSeptember 19, 2012 7:21 PM

PW != PIN. If these are indeed PW's and not sourced from an actual breach of pins, I'd say it's a bit of a leap to equate pin security to a numeric PW that quite probably would just be a throwaway PW for a forum. JB

My thoughts as well.

NobodySpecialSeptember 19, 2012 11:50 PM

There is no particular reason for 8093, some number has to be the least popular. If you look at the graphs in the data, they are pretty flat one you get out to the tail.

ie. most people pick obvious numbers or patterns on the keypad, then dates - once you get out to real random numbers their distribution is pretty random

Carl 'SAI' MitchellSeptember 20, 2012 12:33 AM

For throwaway passwords that I /really/ don't care about I use physical constants.
c=299792458
G=6.67384e-11
etc, etc.

For anything I care about but won't have to remember, I use Keepass's generator.
For anything I care about and have to remember, I use Diceware.

MRSeptember 20, 2012 3:00 AM

I'd say that I could use a password 1234 for a site I don't care at all but I won't certainly use it as a PIN to protect the ATM card.

On the other hand the article is interesting and I'd say that If we strip the marginal/obvious results that it can reflect the reality well.

happosaiSeptember 20, 2012 3:19 AM

Usually ATM's allow three tries - by trying top 3 pins (1234, 10.7% 1111, 6% and 0000 1.8% ) attackers have almost one in five chances of lifting the money...

PINterSeptember 20, 2012 8:23 AM

PINs should be longer than 4 digits.

I was thinking about PINs and ATM skimmers the other day. Why haven't banks implemented some sort of nonce to the PIN yet? With smart phone availability today, you should be able to request some sort of temporary PIN to concatenate with your memorized pin in order to pull out money.

FigureitoutSeptember 20, 2012 11:28 AM

Most people can remember several phone numbers at least, and those are seven digits or more.

PINs should be longer than 4 digits.

@moo, PINter

Good point and agreed. I think if you visualize the numbers with a hyphen separating them (xxx-xxx-xxxx), that it's a lot easier to memorize (and a little more secure than a 4-dig pin). When I go to my gym all it takes is 1-3 recitations in my mind and it's etched on.

curtmackSeptember 20, 2012 1:39 PM

@JB

He actually addresses this. The fact that 2580 is very high at position 22 lends a lot of support to the theory that at the very least a large number (if not all) people are using their ATM PIN for this purpose; on a telephone/ATM keypad, 2580 is straight down the center column, but on a computer keypad, the equivalent would be 8520.

murray s.September 20, 2012 4:47 PM

Many (most?) hardware-based systems that allow customer selection of PIN these days have a list of disallowed "trivial" PINs that generally includes simple sequences (1234, 5432) and all identical digits (1111). Obviously you can't disallow too many combinations as it starts limiting the overall range of available numbers.

Jonathan RosenneSeptember 21, 2012 2:34 AM

Customer selected PINs are a disaster area. Although the article, as pointed to above, does not directly address customer selected PINs, it does try to approximate them. But the research is not deep enough. Many people select digits from their phone number or birthday or other numbers they carry with them or in their heads. If one was to correlate the PINs with these data the results would have been in all likelihood much more obvious. In my opinion people who have access to this kind of data, such as when a wallet was stolen, have a good chance to guess the PIN within the limits allowed by the bank.

Random832September 21, 2012 8:48 AM

@JB, @DaveM:

The analysis mentions that the commonness of "2580" [which is a straight line on an ATM keypad but not on a computer keypad] implies that the kind of person who uses a four-digit number as a computer password does in fact generally reuse their ATM pin number for it.

MattSeptember 21, 2012 12:54 PM

I don't like the term "PIN" to refer to an ATM code--they're not personal, and they don't identify you. I find "code" more proper. That notwithstanding...

Some people talk about the concept of a duress ATM code. If you are being forced to use your ATM card (or if someone stole your ATM card and is forcing the code from you), you use the duress code. The ATM will behave normally, dispense cash, and print a normal receipt, but a silent signal is sent to the alarm monitoring station, which can watch the ATM's cameras remotely and call the police. Improper use of the duress code would carry a big false-alarm fine from the police.

This system is already in widespread use in burglar alarms. Apparently, a popular burglar-alarm duress code is 2580:

- Easy to remember (especially under duress) and difficult to accidentally enter. This sets it apart from the other tricks like "add 1 to the last digit", "last two digits reversed", or "all four digits in reverse"--good luck calculating that with a gun to your head.

- The adversary is unlikely to notice. Using 9111 or 1234 would be a pretty good giveaway that you're using the duress code, but not 2580. Low-risk residential and commercial customers are most likely to be ambushed by a drug-addled thug; for a bank, jewelery store, or high-profile residence with a chance of an ambush by an "expert", I'd definitely recommend something more random than 2580.

The part about 19xx reminded me of a Delco (GM) radio in a Chevy I had not long ago. The radio had a theft-lock, user settable, between 0000 and 1999. I set it to my year of birth (19xx), since (1) I was guarding a no-frills factory radio against meth-heads, not expert thieves, and (2) when I replaced the battery, I didn't want to go crazy trying to remember (or look up) what I had set the code to.

ikeSeptember 21, 2012 4:10 PM

"I was able to find almost 3.4 million four digit passwords. "

What's more impressive is how many people use a pin as their password!

angelSeptember 23, 2012 10:25 AM

I finally found out why 1004 is so popular in the top pin numbers:

1004 is a korean "word" in numerical text.
If you say this number in Korean, you get
chunsa which means Angel.

MWSeptember 23, 2012 6:41 PM

If people used randomly generated PINs, each number would have frequency 0.1% (+/- sampling error.) The least popular PINs have frequencies ~0.001%. This implies that only about 1% of these users have randomly selected PINs! (There is a bit more maths to it than this, due to selection bias, but I'm too lazy to deal with it.)

anon nooneSeptember 26, 2012 3:28 AM

@JB, Dave M - I agree
for others, excerpt from that article:

By combining the exposed password databases I’ve encountered, and filtering the results to just those rows that are exactly four digits long [0-9] the output is a database of all the four digit character combinations that people have used as their account passwords.

it is strange how wide audience that article gets when readers' (journalists') view is skewed/mislead by the headline

Random832September 27, 2012 7:25 AM

@MW What is the frequency of the least popular PIN in a set of 3.4 million randomly generated PINs? I don't know what math you would use to model this, but I bet the answer is not 0.1%. So the question is what number X of randomly generated pins has the absolute amount of the least popular result that matches the amount (not the frequency, assume for simplicity that nobody non-randomly picked 8068) of the least popular one here.

Random832September 27, 2012 7:36 AM

In a quick and probably very unscientific simulation with 3.4M randomly generated pins, the least frequent had about 275 (0.008%) results and the most frequent had about 410 (0.012%).

0.000744% of 3.4 million is 25. A set of about 500,000 randomly generated PINs has about 25 of the least frequent (and 80 of the most) entry. So, this would mean that [0.5M/3.4M] 15% of people (among the sort of people who use four-digit numeric passwords for a purpose other than PINs) randomly generate them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..