04 August 2013

PINs and Passwords, Part 1

by Leigh Lundin

Needles…

More often than you might imagine, financial institutions deploy inadequate security protection, the type of inadequacy where the word ‘woefully’ often finds itself used. I don’t know how much Discover has beefed up its on-line security since I last owned a card, but its password protection was weaker than some porn sites (so I’m told, ahem). It took Capital One and Washington Mutual a while to come up to speed, but my present bank still allows only a ten character password.

If a bank left the keys in their door at night or even left it unlocked, you could hardly blame the curious– or the wicked– for coming inside and wandering around. But that’s happened in the on-line financial world. Institutions lobby for harsh penalties, but their rantings and ravings are meant to detract attention from their own failings.

But a third party is involved, you, the customer. What do you have in your wallet?

From the aspect of a consumer, we can use the following to protect ourselves. From the standpoint of crime writers, we can use the information below to plot clues within a story.

… and PINs

Think about your PIN number, ‘PIN’ singular because most people use one for everything, even their security alarm code. And past behavior suggests people will continue using an easily exposed code even after reading an article like this.

But wait. Doesn't a 4-digit PIN imply guessing one is only a 1-in-10,000 chance?

Not at all. Knowing a little about you (Social Security Number, birth date, etc.) might help hackers, but the PINs and alarm codes of one in four customers can be reduced to sixteen or so numbers.

Does yours begin with 1? Or 19?

The vast majority of PIN numbers begin with 1 or 0. If yours starts with 1, you’ve reduced the possibilities from 10,000 to 1000. If 19, your herd's shrunk to 100.

Do you use the internationally ubiquitous top N° 1 PIN? 1234? Or another of the popular sequential variants, 4321, 5678, 6789?

Does your number begin with 19xx, perhaps a date? The possible numbers are now one hundred, probably a lot less, maybe twenty possibilities if you’re young and eighty possibilities if you aren’t, but a few more if the number represents month-and-day (MMDD) or day-and-month (DDMM). Popular dates that go beyond birthdays include George Orwell's literary 1984 and historical years 1492 and 1776.

Take 2486, which has two strikes against it: It not only comprises semi-sequential even numbers, but it's also a visual pattern, a diamond on a keypad. Other popular visuals are a square (1397), a cross (2046), an X (1937), and the most popular of all, a straight line down the middle (2580). Visual patterns produce deceptively random-looking numbers, but statistics demonstrate they offer little security. And let's face it: Security and convenience find themselves at odds with each other.

'heat' map

statistical moiré
PIN-stripes

Using graphing tools and such visuals as 'heat maps', researchers can determine less than obvious patterns. Some stand out like stars in the sky while others exhibit a warp and woof of woven fabric revealing unconscious human subtleties we're unaware of.

People love couplets, paired digits such as 1010, 1212, the ever-popular 6969, Intel’s 8080, or that Zager and Evans song, 2525. Even when not using 9898 or 2323, people exhibit a preference for pairs one numeric step apart such as 2389 (2-3,8-9) or 5478 (5-4,7-8)) instead of 2479 or 5668. Perhaps we still hear childhood chants in our head from when we learned to count.

A few users exhibit a distinct lack of imagination, to wit: 0001. Others look to pop culture for inspiration, especially fans of James Bond (0007 or 0070), Star Trek (1701), or George Lucas (1138). The 1980s hit 867-5309 peaked at #4 on both the Billboard Hot 100 chart and the hottest 7-digit PIN list.

Some people can’t be bothered at all: 0000, 1111, 2222, 9999, etc. These same overall patterns persist with PINs longer than four digits although people tend to pick phone numbers when forced to select 7-digits, thus adding artificial randomization to the mix.

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (And as we know, Social Security Numbers contain their own well-known patterns.)

To reemphasize, the greater the number of digits required, the more predictable selections become. Why? Why does the problem worsen with additional digits? As people are forced to use more digits, I hypothesize they react by falling back on easy-to-recall patterns such as sequences. Someone might remember 3791, but they won't easily recall 379114928, and they may reason 123456789 is as difficult as any other number.

PIN-pricks

The bad guys know these things. They don’t need high-speed analysis engines or intensive code-cracking software. They know the numbers and work the odds. As often as not, they can hack into an account– or your house or your medical files or your life– within moments.

Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders.
PIN-ups
If you absolutely cannot remember little used numbers and carry a reminder, at least code the number in some way.
• Some take a cue from old-fashioned costing codes that used alphabet substitution for digits: I=1, J=2, K=3, …
• Roman numerals might be another idea, e.g, 2009=MMIX.
• One handy method is to subtract your PIN from 9999 and write that down. When you need your PIN, you simply subtract the code from 9999 again. (For those who know hexadecimal (base 16: 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F), this geeky technique is even more effective: Where F is 15, subtract your PIN from FFFF, e.g, 9531=6ACE. I used this method to label keys in an apartment complex: 1422B=EBDD4.)

Your job– you should choose to accept it– is to make breaking into your account as difficult as possible, not that institutions tell you what you really need to know: Their usual advice is to cover ATM and store keypads with your hand. Don’t tell anyone your PIN. Don’t write it on a stick-em and carry it in your billfold.

But you can do a lot more than that: Make your number as difficult to guess as possible.

PIN-wheel

So what numbers are rarely used? Generally, the higher the first digit, the less common the password. Of the ten least used PINs, four start with 8, two with 9, and two with 6. Just don’t blow your efforts with 8888 or 8000, or 9999 or 9000.

Tip: Sure, you want a number you can remember. Toward that end, I suggest picking an easy four letter word (or a word with the same number of letters as the number of PIN digits) you can remember, say ‘easy’ itself. Look at E-A-S-Y on a telephone keypad and you’ll see the letters correspond to 3279, which breaks the most obvious patterns. Reverse the digits if you like to make the combination harder. If your ATM doesn't show letters, then open your cell phone. See more tips in the box at right.

PIN-points

In the following table* of the twenty most used numbers, it becomes painfully obvious any baddie who’s learned only the first four or five most popular numbers can suck the money out of one in five ATM accounts. With a crib sheet of these twenty numbers, he can boost his takings to 27%.

Most Common PIN Numbers
rank PIN freq %
1 1234 10.713
2 1111 6.016
3 0000 1.881
4 1212 1.197
5 7777 0.745
6 1004 0.616
7 2000 0.613
8 4444 0.526
9 2222 0.516
10 6969 0.512
11 9999 0.451
12 3333 0.419
13 5555 0.395
14 6666 0.391
15 1122 0.366
16 1313 0.304
17 8888 0.303
18 4321 0.293
19 2001 0.290
20 1010 0.285

Least Common PIN Numbers
rank PIN freq %
9981 9047 0.001161
9982 8438 0.001161
9983 0439 0.001161
9984 9539 0.001161
9985 8196 0.001131
9986 7063 0.001131
9987 6093 0.001131
9988 6827 0.001101
9989 7394 0.001101
9990 0859 0.001072
9991 8957 0.001042
9992 9480 0.001042
9993 6793 0.001012
9994 8398 0.000982
9995 0738 0.000982
9996 7637 0.000953
9997 6835 0.000953
9998 9629 0.000953
9999 8093 0.000893
10000 8068 0.000744
* Credit for this table and the heat maps goes to math mensch and privacy professional, Nick Berry.

PIN-out

Now go forth and protect thy accounts. And drop me a line if you use these clues in your own stories.

17 comments:

A Broad Abroad said...

Anything preventing baddies from ‘penny-PINching’ and I’m all PINnae.

Ignoring this article of PINterest is the PINnacle of stupidity and makes one, in my oPINion, a PINhead.

Leigh for PIN-up of the week!

Anonymous said...

Are you saying pin numbers are useless? Why do we keep getting them?

janice Law said...

All this makes me nostalgia for our old Royal Bank of Scotland account where everything was done by hand in a ledger and at the counter!

Leigh Lundin said...

Pin-up! ABA, you make me blush!

Anon, as Janice hints at, once banks and businesses knew their customers by sight and reputation. These days, a bank doesn't know its own employees. So as noted above, they seek to make access easy, perhaps to easy since institutions can fall back upon "You didn't keep your card and PIN safe." The best we can do is make it as difficult as possible for others to guess our number.

Anonymous said...

I always use one number followed by the last name of an old boyfriend from many years ago. He is now deceased & I do not talk about him. This method of keeping a password unguessable, probably isn't recommended, but it works for me!

Robert Lopresti said...

Fascinating and depressing. A while ago I heard a story on NPR about a guy whose four letter pin on his voice mail was broken and he found himself billed for many thousands of long distance calls he had apparently made from Asia one night. The phone company was not interested in his explanations. At thant point i changed my four letter phone code to a longer one.

I had a friend in high school whose phone number I still remember. The last four digits were 3941. "The year WWII started, and the year we entered," he told me.

Dixon Hill said...

Leigh, I'll leave off any mention of my own pin codes and passwords, for obvious reasons.

However, I think you’ve hit on a very nice mechanism for a puzzle mystery here. The idea of trying to “reverse engineer” or perhaps even “reverse psychoanalyze” what a certain person might find to associate with a given-length pin or pass code, assuming that person was incorporating a mnemonic device that would speak to his/her psyche, but not be common knowledge to others, is a fascinating idea.

Leigh Lundin said...

Anon, any password that doesn't reveal too much should work, particularly if it's further obscured with a number or special character.

Rob, I still remember a couple of phone numbers from the 70s, one a friend who gave me her number, DEN-CURD, and the other a colleague whose acronym sounded a bit naughty, HAD-MARY. Pretty effective mnemonics.

Louis A. Willis said...

What to do when the company, bank, or whatever, won't let you use more than four numbers or letters in a PIN? Sometimes I feel their rules for PINs and passwords are not very secure.

Louis A. Willis said...
This comment has been removed by the author.
Louis A. Willis said...
This comment has been removed by the author.
Leigh Lundin said...

Dixon, I'm presently wracking my brain for a plot where either good guys or bad guys crack the codes. Can you imagine a cashier or waiter who has hundreds of cards pass through their hands, and we know they can one in 4 or 5 with little trouble at all?

And Louis, you're right– PIN security is largely an illusion.

Robert Lopresti said...

I used to have a phone number that worked ou MR BIC 14. One day my sister-in-law called looking for my wife/ "Is this Mr Bic 14? May I speak to Ms Bic?

James THurber wrote about associating phone numbers with CIvil War dates. This was so successful he could still remember the numbers of people who were long dead, and not answering.

Ben floyd said...

This could explain something that happened to me. I left my credit card at a store and by the time I realized it, less than 1 hr later, more than 200 dollars in charges were on it. At the time I wondered how they got my pin number but yeah, I reckon I was using one of your easy to use numbers stead of something harder. Worked out for the crook anyway.

Toe Hallock said...

Hey Leigh: I used to have a 6 digit PIN at my big-time bank before they lopped off two and shortened it to 4. What's their philosophy? Codes will be cracked anyway? Or, who cares: We've already thrown away billions of dollars on bad investments? But don't worry, we've got your back. And I accept your challenge. In the next half-year I'll try to come up with a story including your info. Yours truly, Toe.

Leigh Lundin said...

Ben, easy-to-use and safety seldom go together. Yes, there's a good chance if you used one of the sequences (or a date) mentioned, it left your account vulnerable.

Toe, I'm astonished and yet not wholly surprised your bank reduced the number of digits (and security). It's one of those jaw-dropping decisions– what were they thinking?

Eve Fisher said...

I can guarantee that they won't be able to crack my passwords for most places - but my PIN number... I'll have to update that. My current one isn't the worst, but it isn't the best, either. Thanks for the tips!