How Common Is Your PIN?

phantomfive writes: We've seen password frequency lists, here is an analysis of PIN frequency with a nice heatmap towards the bottom. There is a line for numbers starting with 19*, which is the year of birth, a cluster around MM/DD for people's birthdays, and a hard diagonal line for the same digit repeated four times.

hey, if you type in your pw, it will show as stars

(Cthon98) hey, if you type in your pw, it will show as stars
(Cthon98) ********* see!
(AzureDiamond) hunter2
(AzureDiamond) doesnt look like stars to me
(Cthon98) (AzureDiamond) *******
(Cthon98) thats what I see
(AzureDiamond) oh, really?
(Cthon98) Absolutely
(AzureDiamond) you can go hunter2 my hunter2-ing hunter2
(AzureDiamond) haha, does that look funny to you?
(Cthon98) lol, yes. See, when YOU type hunter2, it shows to us as *******
(AzureDiamond) thats neat, I didnt know IRC did that
(Cthon98) yep, no matter how many times you type hunter2, it will show to us as *******
(AzureDiamond) awesome!
(AzureDiamond) wait, how do you know my pw?
(Cthon98) er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
(AzureDiamond) oh, ok.

- http://bash.org/?244321

1234 passwords

Those 1234 passwords that people always talk about, those are just from temporary e-mail addresses that people create when they want something anonymous.
I've created plenty of accounts with incredibly easy passwords, because I only used them once and didn't care if the accounts would be hacked a minute after creation.
PIN numbers are not the same thing as passwords.
This is not an analysis of PIN frequency, it's an analysis of 4-digit numeric-only passwords.

Re:1234 passwords

[unixisc]

I'm thinking particularly of the pin# for Windows 10. For some things, I pick numbers that few will think of other than me. For others, like say my work account, I picked the 4-digit number of the building of my employer's headquarters, since there's a good chance that I'd have to share that w/ colleagues.

I don't exactly see the point of trying to create a complicated PIN, since there are just 10,000 combinations. So might as well pick something that's easily remembered.

Ha...

[Type44Q]

My psycho/retard ex would *always* uses "0852" for her PIN. Why? Sheer fucking laziness.

Re:Ha...

[TheCarp]

You say that now.... but.... actual conversation that happened (names have been changed to protect the terrible):

(driving down the road with a friend I had recently started hanging out with)
me: "I know a family lives down that street, fucking crazy as fuck. Friend of mine dated their daughter, it was terrible, the day I picked him up and we loaded his shit into my car, she was telling him she was 'pregnant' again"
her: "Lol my Brother had a kid with a crazy girl on that steet, Jodie Simpson"

And we are not in some small town either, there are probably 50 houses on that one street, we are about as densly populated a city as you find in the US. Some people still manage to stand out.

Re: Old news

[bill_mcgonigle]

You are worthy of the nerd card. Very few others are. I bet that feels really good. You're special, for sure.

Not even PIN data

[OzPeter]

From TFA

Obviously, I don’t have access to a credit card PIN number database. Instead I’m going to use a proxy. I’m going to use data condensed from released/exposed/discovered password tables and security breaches.

By combining the exposed password databases I’ve encountered, and filtering the results to just those rows that are exactly four digits long [0-9] the output is a database of all the four digit character combinations that people have used as their account passwords.

Re:Not even PIN data

[hankwang]

I would guess that it's a reasonable proxy for PINs that people get to choose themselves, such as those for SIM cards and phone unlock codes. Where I live, you don't get to choose the PIN for your debit card.

As for my phone: it has an encryption password, an unlock code, and a SIM PIN, in order of decreasing complexity, related to the potential for damage if someone guesses it right and to the number of tries before the system locks/wipes itself.

Re:Not even PIN data

[jbmartin6]

TFA also explains why the author believes the dataset is relevant for ATM PINs and similar.

Re:Not even PIN data

[ShanghaiBill]

I would guess that it's a reasonable proxy for PINs that people get to choose themselves

I don't think so. I often use something like "1234" for some stupid throwaway account on a website that shouldn't even have accounts in the first place. But I use something pseudo-random (meaningful to me, but random to anyone else) for anything important, like a bank card.

Re:Not even PIN data

Exactly, I wonder if there's any significant difference between the PIN and passwords people use for different types of services.

Personally I use three types of passwords, for throwaway accounts that I gave no personal info/payment info, like newspaper sites, xda, etc, I just use "password" as the password, adding a "!" and or "0" as needed.

For sites that I sort of want to hold on to the account but has no personal/payment info (/. for example), I use my old phone number for it.

I only actually attempt to use secure and unique passwords for sites that I think needs it, like bank account, government sites, steam, etc.

I suspect (hope) that a majority of the "1234" and "0000" are just for throw away accounts that the owner doesn't care about.

Re:Not even PIN data

[tgv]

> TFA also explains why the author believes the dataset is relevant for ATM PINs and similar.

Believing is most certainly not good enough. It's just an excuse to make his finding look more interesting than it is, which is: hacked password lists contain many simple passwords, nobody really knows what for.

At least my pin 8068 is safe

[mdsolar]

Oh, wait...

Re:At least my pin 8068 is safe

[OzPeter]

"I set my ATM card's number to "0001" because I'm number one!"

Let me introduce you to this thing call 0-base numbering. Because with *my* PIN of "0000", I'm #1 and you are a poor excuse for a #2

Re:At least my pin 8068 is safe

[penix1]

Which is monumentally STUPID! That leads to people writing it down just so they can remember it. I can see my idiot brother even writing it on the card so he doesn't have to remember it!

Re:At least my pin 8068 is safe

[plover]

Which is monumentally STUPID! That leads to people writing it down just so they can remember it. I can see my idiot brother even writing it on the card so he doesn't have to remember it!

People get all panicked about "writing down their passwords." I have never seen a case where a hacker was able to reach through the internet and shoulder surf that piece of paper. Offline analog storage has a much better security profile than the average bureaucrat's Excel spreadsheet full of passwords.

Sure, local attacks on the paper are possible, but extremely rare when compared to online attacks. Paper records have a much lower risk profile.

Re:At least my pin 8068 is safe

[alexhs]

I've never seen anyone needing a cheat-sheet to enter their PIN around here. So, it appears that the French population at large is able to remember a 4-digit number.
I'm sorry to hear that the average American is unable to do that.

By the way, the way it's done, they give you your credit card at the counter or in the mail, and send you your PIN in a separate mail, your banker never knows the PIN either. The mail with the PIN contain safety instructions: memorize it, keep it confidential, never store it along the card, and, apparently, people are able to follow these instructions. The PIN is permanent, so when the card expire, by default the next card will have the same PIN. It's only if your card has been stolen or otherwise compromised that they will issue you a new PIN.

Re:At least my pin 8068 is safe

[Dunbal]

No that just means you're a zero. Kind of like being stillborn. Yeah you were born first, but...

Re: At least my pin 8068 is safe

[cloudmaster]

I have a Post-It stuck to the bottom of my keyboard with the word "pa$$word1" written on it, and have for years. I like to imagine that one day someone will try logging in to my account with that, thinking to themselves "wow, the sysadmin has a terrible password" just before it doesn't work.

It's the little things that get you through the day...

Re: At least my pin 8068 is safe

[KGIII]

You should find a way to use it as the duress password so that, if used, it sets off a loud klaxon alarm complete with the brilliant strobing lights. It would be awesome.

Re: At least my pin 8068 is safe

[fbobraga]

greatest idea ever!

Re:At least my pin 8068 is safe

[fbobraga]

I've never seen anyone needing a cheat-sheet to enter their PIN around here. So, it appears that the French population at large is able to remember a 4-digit number. I'm sorry to hear that the average American is unable to do that.

Providing PINs (which is a 4-digit number) look a very welcome idea to me! * it's something like already occurs here in Brazil, with SIM PINs and bank ATM machines ^^

Re:At least my pin 8068 is safe

[Cro+Magnon]

The main thing, IMO, is that the PIN is permanent. My ATM PIN was bank-selected, and though I can change it, I've never had any reason to do so. The numbers aren't connected to me, but I remember them just because I've always had them.

Re: At least my pin 8068 is safe

[Quirkz]

Okay, that made me laugh. That's a pretty good one.

I once found a password stickied to the monitor of a dean of a major state university. The thing is, the password was the dean's initials and year of birth, so I'm not really sure why he needed it to be stickied there. Possibly it was for the rest of the staff to get in and do things for him when necessary, but it still made me roll my eyes.

Super old blog

[MrLogic17]

I thought this blog posting on PIN numbers looked familiar - then I looked at the publish date. September 3rd, 2012.

Um, guys?

Re:Super old blog

[Mashiki]

This is /. so that's new and exciting information. Just be happy it was only almost 4 years ago.

This is why I use...

the last for digits of Pi for my PIN.

Re: This is why I use...

Plot twist...they are 12 3 4.

Re:This is why I use...

[reboot246]

I use God's birthday - 0000.

Re: This is why I use...

[Kojow777]

Also, don't you mean Jesus?

Technically, Jesus and God are one in the same. John 1 and Collossians 1 both talk about Jesus as the Creator of all things. He just didn't have the name Jesus until approximately 1AD when He came to dwell among us in the flesh.

Re: This is why I use...

[KGIII]

I think that's the trinity folk and not all Christians subscribe to that, as far as I know. There's God the Father, God the Sun, and God the Holy Ghost. They are one and the same divinity, the holy trinity, but different manifestations of that self.

At least that's how I understand it. I am not actually a Christian but I know some. I even spent some time studying with the Jehovah's Witnesses and, at one point, spent a goodly amount of time with a young lady who was a Mormon. For the record, no we did not have sex but we did sort of have a relationship - it's complicated. She's dead now. Ah well... She was good people.

Re: This is why I use...

[cerberusss]

There's God the Father, God the Sun, and God the Holy Ghost

So, it's basically, God, Ra, and God again? :-P

Re: This is why I use...

[stealth_finger]

There's God the Father, God the Sun, and God the Holy Ghost

So, it's basically, God, Ra, and God again? :-P

I dunno if he made a typo but Jesus is actually the Sun and may as well be Ra.

Re: This is why I use...

[danbob999]

That's right, no year 0. Jesus was born on year 1 BC. That's right, year one before himself. As he was born on December 25th and the year 1 started on January 1st.

Re: This is why I use...

[Some_Llama]

maybe 98% of "christians" don't know the bible from a hole in the ground. at least that is how it seems from the fruit that they bear. the majority of what people call "christians" (catholics) also worship graven images and the mother of jesus and believe that you need to confess your sins to a priest when jesus did away with the whole jewish mediator thing in the first place.

the whole point of the bible is that you can go and read it for yourself and find god for yourself.. you don't need anyone else, who is most likely blind anyway, to lead you.

Quick, someone make a website

[Solandri]

All you have to do is enter your PIN and it'll tell you how common it is.

Re:Quick, someone make a website

[MacTO]

Thankfully most people's account number is more random than their PIN.

Re: Somebody send this to the FBI,...

Imagine if they finally got Apple's help, and the PIN was 123456.

Always nice to see this again...

[aaarrrgggh]

I guess it has been over six months since it was last posted on /. but a dupe none the less...

Re:hey, if you type in your pw, it will show as st

[epyT-R]

Still funny today.

So why does the FBI want Apple to crack the iPhone

[charles05663]

From the article it seems that they have a pretty good chance of guessing the password in just a few attempt.

We all know the real reason...

Weird

Am I the only one who uses a random number generator to pick their pin numbers?
The banks I've dealt with also don't allow numbers like 1111 or 1234.

Re:Weird

[plover]

Back in the eighties, I was opening a bank account and the guy told me to pick a PIN. I pulled out my trusty Casio programmer's calculator, hit the random button 4 times, and wrote down the last digit of each.

So, no. You're not alone.

Re:Weird

[nbauman]

Back in the eighties, I was opening a bank account and the guy told me to pick a PIN. I pulled out my trusty Casio programmer's calculator, hit the random button 4 times, and wrote down the last digit of each.

I did something like that to get a random PIN, and the bank system rejected it because I had repeated the same digit twice in a row.

Re:Weird

[Tony+Isaac]

Sadly, you probably ARE the only one.

Re:Weird

[fbobraga]

I did something like that to get a random PIN, and the bank system rejected it because I had repeated the same digit twice in a row.

stupid password rules... There's tons if it everywhere!

Clarification

[wonkey_monkey]

and a hard diagonal line for the same digit repeated four times.

No - or at least not entirely. The hard diagonal line represents the same pair of digits repeated - 1010, 2424, 8585.

There are brighter spots on that diagonal line for each of the "same digit" combinations.

Re:So why does the FBI want Apple to crack the iPh

[MacTO]

If I recall correctly, the FBI wants Apple to disable the feature that disables or formats the device after too many incorrect attempts. Just because it is possible to crack 1 in 5 accounts after a handful of attempts doesn't mean that you will be able to crack a particular account in a handful of attempts (particularly if that person is paranoid).

The price of a cheese....

[Santas+L+Helper]

The price of a cheese pizza and large soda and panucci's pizza. $10.77.

Re:The price of a cheese....

[Quirkz]

That's handy, until your your password changes with inflation.

Re:The price of a cheese....

[Santas+L+Helper]

I'm guessing you missed the Futurama reference?

Re:The price of a cheese....

[Quirkz]

I've more or less missed Futurama, let alone any references. I never got past "It's not the Simpsons." (Speaking of, nice handle, by the way.)

Interesting

[jbmartin6]

Just a quick overview, but it appears the selection of PINs obeys Benford's Law

Is the least-password list outdated yet?

[davidwr]

I'm just wondering whether those "bottom 100" are still at the bottom.

On another topic, how many people use their /. ID number as their PIN? Go ahead, raise your hands, don't be shy.

No respect for Tommy Tutone

[antifoidulus]

I can't believe "5309" isn't in the top 10, don't people love Jenny anymore?

Re:No respect for Tommy Tutone

"The fouth most popular seven digit password is 8675309"

Bank security compromised?

[fremsley471]

El Reg a few years back had a story that in the nineties, one of the big four banks in the UK had its security team compromised. New cards had a PIN set from only one of three choices. That meant that anyone intercepting a card who knew the three could go haywire with the account. The customer wouldn't know and the bank couldn't explain it.

Could have been cock and bull, but it's a possible small source of non-randomness.

42069? What is it?

[rduke15]

FTA: "For five digit passwords, [...] All the usual suspects occur, but a new addition is the puerile addition in position #20 of the concatenation of 420 and 69."

Am I competely sutpid, or is there some cultural reference here, which I don't get? Why "42069"? Why is it puerile?

Re:42069? What is it?

[Frosty+Piss]

420 = weed.
69 is, well, 69.

You may continue to speculate...

Re:42069? What is it?

[rduke15]

Thanks. Yes, 69 was obvious, but not 420.

Re:42069? What is it?

[fbobraga]

depends of the context (420 was more obvious than 69, to me...)

Safe!

[rebelwarlock]

Ha! 1337 didn't even make the list!

Looks like it's 1234

[spiritplumber]

incredible! it's the same PIN as my luggage!

Re:hey, if you type in your pw, it will show as st

[KGIII]

I still have a hard time not laughing when I read the one about the robe and wizard hat in its entirety. I dunno? Maybe I really am a five year old.

Re:#10...

[KGIII]

Chantilly lace and a pretty face?

Err... Yes, yes I am old. Whatever gave you that idea? I know what you like... Fortunately, Ms. KGIII is still awake and my (bad) signing and attempts to sit-wiggle/sit-dance aren't awakening her.

factor in the importance of data being protected

[dwater]

I would be interested in seeing the results of an investigation into a similar study that also factors in the importance of what is *behind* the password.

I don't think I'm the only one who puts more effort into choosing a 'good' password for things that are of value. I choose really quite poor passwords for things I really don't care about - eg have no sensitive information behind the login. For things like cash point cards, and other things in front of my actual money, I attempt to use much better passwords.

I think there are many things of little or no value, while just a few of high value. I guess this might skew the numbers somewhat. It's probably quite difficult to factor in this aspect, but it makes me question the conclusions.

In Autstria

[rosencreuz]

That doesn't matter because you cannot change your PIN.

Re:hey, if you type in your pw, it will show as st

[U2xhc2hkb3QgU3Vja3M]

Care to share with the rest of us? Got a link?

Re:hey, if you type in your pw, it will show as st

[Muros]

It's all over the place on the web, this one has a few of his chat logs

Re:hey, if you type in your pw, it will show as st

[Quirkz]

I put a video game character named Hunter2 into one of my novels because of that piece.

Re:hey, if you type in your pw, it will show as st

[KGIII]

Muros' link is perfect. Note, it's important to read all of it. As the robe and wizard hat make multiple appearances. Two, to be exact. However, the whole thing is fantastic. I'm gonna read it again.

Re:hey, if you type in your pw, it will show as st

[KGIII]

That's perfection. I think that's the whole collection. I'm gonna read 'em again. I can't help it. I'm a five year old.

*holds up his hand with his fingers spread* I'm this many years old!

I must be 'cause that's funny as hell.

Security

[phorm]

The funny thing is that my desk phone at work requires a more secure password for f***ing voicemail than my bank account does. The work one needs to be changed every few months, and you can't re-use your previous passwords. My bank would be happy to accept 1-1-1-1 for perpetuity.