
PIN number analysis (2012) - worez
http://www.datagenetics.com/blog/september32012/
======
taneq
> … it’s staggering how popular this password appears to be. Utterly
> staggering at the lack of imagination …

It's also staggering how often a system requires a passcode but the operator's
of the system don't want to use one, or the system needs to be provided with a
known passcode so the client can log into it for the first time.

Often, also, passcodes serve as courtesy locks, where the intention isn't to
make it impossible to gain access (far from it, often on industrial systems
you might need night shift to be able to get in and change settings in an
emergency) but to signal to an operator that they're entering an area of the
program where they shouldn't touch anything without explicit instructions.

In either of these cases, an easily guessable (I'd go so far as to say
'standard') PIN strikes the right balance between no security at all, and
actually keeping out people who might need access.

------
sdinsn
> All the usual suspects occur, but a new addition is the puerile addition in
> position #20 of the concatenation of 420 and 69.

Neat

------
jamies888888
It's just a PIN; see
[https://en.wikipedia.org/wiki/RAS_syndrome](https://en.wikipedia.org/wiki/RAS_syndrome)

------
ikeboy
Given that these are pulled from breaches, it's very likely these are from
fake accounts that used a simple password to create many accounts using bots.

Would be interesting to look at the email addresses associated and see if you
can see a pattern and maybe filter those out.

------
slavik81
Aside from the top two passwords (~17%), the distribution is not so bad. The
next five passwords are only 5% of the distribution, which is much more
reasonable. With 10^4 possible combinations, these obviously weren't designed
to prevent a brute-force attack on their own. For example, with bank accounts
the bank card provides a second factor and access attempts are monitored.

There's also little point in hashing a 4-digit PIN. If the PINs were perfectly
distributed, it would only take an average of 5,000 guesses to find the
original PIN given the hash. Of course, this analysis has shown that they're
anything but perfectly distributed; a quarter of them would take less than 20
tries.

~~~
nine_k
AFAICT, brute-forcing of short PINs is usually prevented by locking up after a
few failed attempts.

E.g. with a phone SIM card's PIN, you theoretically have the laughable space
of 10000 variants, but you only get to try 9 times, the 10th should either be
correct, or the SIM card stops working. This gives you about 1% chance of
guessing right. With trying the common PINs first, likely maybe 10% chance.
Still makes an attempt to break in impractical in very many cases.

------
nodesocket
Reminds me of Spaceballs.

"The combination is 1...2...3...4...5..."

"That's the stupidest combination I ever heard in my life... That's the kind
of thing an idiot would have on his luggage."

~~~
cdoxsey
> And so the “secret unlock code” during the height of the nuclear crises of
> the Cold War remained constant at 00000000.

[http://www.globalzero.org/files/bb_keeping_presidents_in_the...](http://www.globalzero.org/files/bb_keeping_presidents_in_the_nuclear_dark_-
_episode_2_the_siop_option_that_wasnt_april_may_02.17.2004.pdf)

------
emilfihlman
>I’m not going to sell, donate or release the source data – don’t ask!

This is absolutely stupid. You can reverse the dataset almost completely from
the provided data (images and fixed points).

FFS it's only a two column spreadsheet with columns "pin" and
"count"/"frequency". It has no additional security implications after the
release of this article.

------
dyu
If you are interested in this sort of analysis, I recommend reading into works
by Joseph Bonneau:
[http://jbonneau.com/publications.html](http://jbonneau.com/publications.html)

------
lixtra
> Hackers can read too! They will also be promoting 8068 up their attempt
> trees in order to catch people who read this (or similar) articles.

Only if they know you’re a geek. The above fact won’t reach John Doe and
influence his PIN choice.

~~~
executesorder66
I mean, pretty much everyone has added "correct horse battery staple" to their
password lists. It's just one more attempt.

------
hw
I'm surprised that 1004 is that high up. I doubt it merely has to do with the
Korean significance, unless the data source is heavily skewed towards PIN
usage by Koreans.

------
foota
Interesting that more aren't year based.

------
paulpauper
there's a story that one way Feynman could break locks was by guessing 2718
and 3141

------
shawabawa3
I'm surprised 8086 is the least common PIN, as it's significant in
computing[1]. Maybe the dataset just didn't have many programmers in it

    
    
      [1] https://en.wikipedia.org/wiki/X86

~~~
mpclark
Look closer - it's 8068

------
joekrill
Don't some banks allow 6 digit PINs?

------
nerdwaller
I’m surprised to not see 2580 in the top 20, given that’s straight down the
center and all unique items.

~~~
Someone
It’s at #22 (directly after the table with the top 20: _”The first “puzzling”
password I encountered was 2580 in position #22”_ )

~~~
irl_zebra
How do you mean puzzling? 2580 is straight down the middle on a normal pin
pad. :)

~~~
corobo
That's why it's in text-air-quotes "puzzling" as in "it might appear puzzling
but it's not really"

------
Markoff
that last XKCD it's completely useless since many of services require upper
and lower case letter, digit and symbol

------
just_observing
It's a PIN

It's not a PIN number

You can't have a Personal Identification Number Number

I get that it's what people say, but that doesn't make it right.

/rant

~~~
DanAndersen
"PIN number" is just a shorthand for "number that is a PIN." Never understood
the pedantry on this one; when spoken (a lossy channel of communication),
"PIN" is similar enough to "pin" and "pen" and "pan" that people have found
the need to further disambiguate to be understood.

~~~
labster
If I had a nickel for every time a pedant complained to me about "PIN
numbers", I'd be going to the ATM machine right now.

~~~
sundvor
I see what you did there. :)

The Department of Redundancy Department are hiring.

~~~
jpatokal
You mean "this message has been brought to you by the Department of Redundancy
Department, which has brought you this message", you mean.

------
hyperpallium
PIN identification number

~~~
nabla9
GNU's Not Unix

~~~
pc86
> GIN is a recursive acronym for "GNU Identification Number," and...

------
mrmondo
Am I the only one that gets annoyed by the use of 'PIN Number' which is
'Personal Identification Number Number'? It annoys the !@#%$ out of me!

~~~
wes-k
This is why I say things like “AT machine”, or in this case, “enter your PI
number”.

~~~
Stratoscope
And then no one knows what you are talking about.

~~~
creeble
I think his tongue is within cheek.

------
jwilk
(2012)

~~~
dang
Added. Thanks!

------
f2f
Was the analysis performed at the Department of Redundancy dept?

------
mrweasel
This is completely avoidable, you simply don't allow people to pick their own
PIN. Banks don't allow you to pick your credit/debit card PIN, and I would
assume that this is precisely one of the reasons why.

~~~
samat
Not true. Most banks in EU allow you to change pin at the ATM.

~~~
mrweasel
Non of the banks I used in Denmark has allowed that.

~~~
jsjohnst
Have you asked? Many US banks auto generate you one, but almost all of them
let you change it.

