Why six digit PINs are no better for security than four digits (2024)

Why six digit PINs are no better for security than four digits (1)

It has everything to do with psychology.

“Mathematically speaking, there is a huge difference, of course,” said Philipp Markert ofHorst Görtz Institute for IT Security at Ruhr-Universität Bochum (photo left). “However, users prefer certain combinations: some PINs are used more frequently, for example, 123456 and 654321.”


“It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” added colleague Markus Dürmuth.

In the study, subjects used Apple or Android devices, and set either four or six-digit PINs.

Since iOS 9, knowing that owners are prone to using certain weak numbers,Apple phones have included a blacklist to reject them automatically during the PIN setting process.

The team created or had access to several of these blacklists (see below) – including Apple’s four digit and six digit list, which was obtained by getting a computer to try all combinations on an iPhone.

See Also
How to Withdraw Money from a Credit Card?What is a CVV Number & Where to Find It?Personal Identification Number (PIN): What It Is, How It's UsedCan I generate a credit card PIN online for a new Credit Card

As an aside, there were 274 numbers on the four digit iPhone list, and 2910 on the other. “Since users only have ten attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure,” said researcher Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum (photo right).

Android smartphones instead limit how quickly different codes can be tried in succession, according to the University. “In eleven hours, 100 number combinations can be tested,” said Markert.As attackers can try more Android PINs, ablacklist would make more sense on Android devices.

Back at the experiment,1220 participants chose PINs, which, importantly to the results, were then attackedwith 10, 30, or 100 attempts to mimic the way phones limit access.

As an attack on a random phone will succeed quicker if the most likely numbers are tried first, the researchers started their attacks using blacklisted numbers. “We guessed differently depending on the assigned treatment. If the participant was not allowed to select certain PINs, we also skipped those when guessing,”Markert told Electronics Weekly.

And it was this that revealed that six digit PINs are no better than four digit PINs.

So,mainly because manufacturers limit the number of PIN unlocking attempts, a prudently chosen four-digit PIN is secure enough.

By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) – 2580 is there because it is a vertical column on a numeric keypad.

Deeper analysis indicated that the ideal blacklist for four-digit PINs would have to contain ~1,000 entries and differ slightly from the one deduced for Apple.

See Also
Forgot Credit Card Pin - Know How to Create Credit Card Pin | HDFC Bank

Further examining Apple’s blacklist technique, and its option for users to choose a blacklisted number after a warning, some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning, while others were compelled to set a new PIN that was not on the list.

On average, the PINs of both groups were equally difficult to guess.

Blacklists

The work will be presented as ‘This PIN can be easily guessed‘ at theIEEE Symposium on Security and Privacy in San Francisco in May 2020. This paper details the experimental blacklists, and draws conclusions on how blacklists might be improved.

One last bit of information was provided by the team:four and six-digit PINs are less secure than passwords, but more secure than pattern locks.

Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy worked with George Washington University.

The most common PINs

Four digitSix digit
1234123456
0000654321
2580111111
1111000000
5555123123
5683666666
0852121212
2222112233
1212789456
1998159753

Photo credit:
Horst Görtz Institute for IT Security at Ruhr-Universität Bochum
Max Planck Institute for Security and Privacy in Bochum

As a seasoned cybersecurity expert with a deep understanding of the intricacies of IT security, I can provide valuable insights into the article you've presented. The statements from Philipp Markert and Markus Dürmuth resonate with my knowledge, and I can offer additional context and analysis.

The article primarily discusses the security of PINs (Personal Identification Numbers) on mobile devices, specifically Apple and Android smartphones. Let's break down the key concepts discussed in the article:

  1. PIN Security and User Behavior:

    • Users tend to prefer certain combinations for PINs, and some widely used PINs include 123456 and 654321.
    • The study suggests that users may not intuitively understand what makes a six-digit PIN more secure than a four-digit one.

  2. iOS 9 Blacklist Feature:

    • Apple devices, since iOS 9, have implemented a blacklist feature for PINs. This feature automatically rejects commonly used weak PINs during the PIN-setting process.
    • The article notes the existence of blacklists, including Apple's four-digit and six-digit lists, obtained by systematically trying all combinations on an iPhone.

  3. Effectiveness of Blacklists:

    • The study questions the effectiveness of blacklists, especially in the case of Apple devices where users have a limited number of attempts to guess the PIN.
    • For Android devices, the article mentions that blacklists could be more useful due to the ability of attackers to try more PIN combinations.

  4. PIN Length and Security:

    • The research involved 1220 participants choosing four or six-digit PINs, and these PINs were subjected to attacks with varying numbers of attempts to simulate real-world scenarios.
    • Surprisingly, the study reveals that six-digit PINs are not significantly more secure than four-digit PINs, primarily because manufacturers limit the number of PIN unlocking attempts.

  5. Common Four-Digit PINs:

    • The article provides a list of common four-digit PINs, including 1234, 0000, 2580, 1111, and 5555. The inclusion of 2580 is explained as it forms a vertical column on a numeric keypad.

  6. Blacklist Techniques and User Choice:

    • The article discusses Apple's blacklist technique, where users may choose a blacklisted number after a warning. Some participants were allowed to choose a new PIN, while others were compelled to set a new PIN not on the blacklist.
    • Surprisingly, the average difficulty of guessing PINs was similar for both groups.

  7. Comparison with Passwords and Pattern Locks:

    • The article concludes that four and six-digit PINs are less secure than passwords but more secure than pattern locks.

This information will be presented at the IEEE Symposium on Security and Privacy, providing a forum for researchers to share their findings and insights into PIN security. The collaboration between Ruhr-Universität Bochum, the Max Planck Institute for Security and Privacy, and George Washington University adds credibility to the research.

Why six digit PINs are no better for security than four digits (2024)

FAQs

Why six digit PINs are no better for security than four digits? ›

4 digit pin gives 5040 combinations (210 if they should be unique), while 6 digit pin gives 151 200 combinations.

Read On
Is a 6 digit PIN more secure? ›

In an online attack that guesses a small number of common PINs (10–30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs. To understand the relationship between 4- and 6-digit PINs, we then model targeted attacks for PIN upgrades.

Discover More Details
Is a 6 digit code safe? ›

There are one million permutations of a 6 digit number, including 000000. If the website locks them out after 10 wrong tries, they still have only a 1 in 100,000 chance of getting in.

Continue Reading
Are 4 digit PINs secure? ›

However, users should remember that four-digit passcodes have 10,000 possible combinations, so be mindful and strategic about the PIN you choose. Even with extra precaution, passcodes still have a chance to be hacked which is why tech gurus encourage using password managers which safely protect personal information.

See Details
How strong is a 6 digit PIN? ›

Six digit password has 10^6 possible combinations(million possible combination). Normal cracking it with a powerful CPU that tries 30 passwords/second would take 9.25 hours which is quite long.

Find Out More
What is the safest pin number? ›

“Statistically, 8068 is the safest PIN,” says Tyler Moffitt, senior threat research analyst at Webroot. “Other good numbers are 7637, 6835, and 9629. But that's mainly because they follow no pattern, isn't a date, or repetition of numbers, or the column of the keypad (2580).”

Tell Me More
Why are PINs only four digits? ›

Using four digits for PINs allowed for efficient storage and processing of user information. User Convenience: A four-digit PIN is relatively easy to remember for most people compared to longer combinations. It strikes a balance between being memorable and providing a basic level of security.

Show Me More
What four-digit PINs should you avoid? ›

Avoid the obvious

Make your PIN less easy to guess by avoiding obvious number combinations or sequences such as “1111,” “1234” or “9876.”

Explore More
What is the 6 digit security PIN? ›

The security PIN is a 6-digit number that only you know. When you contact us for support, it is used to confirm that we are speaking with the correct person (the account owner). Your security PIN is similar to the PIN on your ATM/debit card. Anyone who knows your PIN has access to your account.

Continue Reading
What is the hardest 6 digit password? ›

Steps to Make Your 6 Digit Password the Toughest

Mix uppercase and lowercase letters – Use a combination of uppercase and lowercase letters to help confuse hackers and make it more difficult for them to guess your password. Start with a mix of both and use the same order each time you type your password.

Show Me More

Are PINs safer than passwords? ›

So, if you're looking to protect your device or online account, using a strong password is a better choice than a PIN. This doesn't necessarily mean you should stop using PINs altogether. PINs are a practical and secure method to unlock your touchscreen device, for example.

Read The Full Story
Which is more secure pattern or PIN? ›

Passcodes, PINs, passphrases and patterns act as the core defence to any biometric methods of unlocking your phone. But these options aren't all equally secure. While none of the security methods are completely fool proof, the passcode or PIN seems to be the best defence against attackers wanting to access your phone.

See Details
What is the strongest 4-digit password? ›

A: The hardest 4-digit password is 8068. It is one of the strongest numeric passwords available. Other commonly used 4-digit passwords are 1234, 0000, and 2580. To create the strongest 4-digit password, experts recommend combining numbers, symbols, and capital letters for a secure password that is difficult to guess.

Get More Info Here
Can a PIN code be 6 digits? ›

A Postal Index Number (PIN) code is a six-digit code used by India Post in the Indian postal code system. Also referred to as Zip codes or area codes, every digit in these codes indicates a specific meaning.

Continue Reading
What is a common 6 digit password? ›

Q&A. Q: What are common 6 digit passwords? A: A 6 digit password is a way to secure your accounts, such as email, banking and social media. Common 6 digit passwords usually include 6 digits in a pattern such as 123456, 111111, 000001, or even your birthdate.

View More
How many passwords are possible with 6 digits? ›

Or, as @keith points out, the more intuitive way to establish it is simply by knowing that the largest possible 6 figure number is 999,999 (with the lowest being 0) which means there are precisely 1,000,000 possible combinations of a 6 numerical-character string.

View Details
How secure is a 6 character password? ›

Weak passwords are easily guessed or cracked by automated programs, so if you use a weak password, you are leaving yourself open to attack. Using a strong password with 6 or more characters, however, can make it virtually impossible for a hacker to gain access.

See More
Is A PIN more secure than a fingerprint? ›

A PIN can often be guessed with a little bit of information about the target, or it can even be “shoulder surfed” by someone standing behind you and watching you input it. A fingerprint can't. A longer PIN can be safer, but it's also a lot harder to remember.

Learn More
How many digits is a safe PIN? ›

You can also use an alphanumeric PIN. However, since attacking a smartphone requires physical access and the phone will lock you out after too many bad guesses, 6 digits are enough most people (as long as the code isn't easy to guess). Get help here: iPhone, Android.

Discover More Details
How many digits is a secure code? ›

The card security code (CSC) is usually a 3 - or 4 - digit number, which is not part of the credit card number. The CSC is typically printed on the back of a credit card (usually in the signature field).

Show Me More
Top Articles
How to withdraw BNB from Binance to MetaMask
Is Bitcoin a Good Investment? - NerdWallet
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
Non Sequitur
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
How to Help Your Teen Get the Sleep They Need
Create ERC20 tokens and increase your profit
Article information

Author: Dan Stracke

Last Updated:

Views: 6570

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.