It has everything to do with psychology.
“Mathematically speaking, there is a huge difference, of course,” said Philipp Markert ofHorst Görtz Institute for IT Security at Ruhr-Universität Bochum (photo left). “However, users prefer certain combinations: some PINs are used more frequently, for example, 123456 and 654321.”
“It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” added colleague Markus Dürmuth.
In the study, subjects used Apple or Android devices, and set either four or six-digit PINs.
Since iOS 9, knowing that owners are prone to using certain weak numbers,Apple phones have included a blacklist to reject them automatically during the PIN setting process.
The team created or had access to several of these blacklists (see below) – including Apple’s four digit and six digit list, which was obtained by getting a computer to try all combinations on an iPhone.
As an aside, there were 274 numbers on the four digit iPhone list, and 2910 on the other. “Since users only have ten attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure,” said researcher Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum (photo right).
Android smartphones instead limit how quickly different codes can be tried in succession, according to the University. “In eleven hours, 100 number combinations can be tested,” said Markert.As attackers can try more Android PINs, ablacklist would make more sense on Android devices.
Back at the experiment,1220 participants chose PINs, which, importantly to the results, were then attackedwith 10, 30, or 100 attempts to mimic the way phones limit access.
As an attack on a random phone will succeed quicker if the most likely numbers are tried first, the researchers started their attacks using blacklisted numbers. “We guessed differently depending on the assigned treatment. If the participant was not allowed to select certain PINs, we also skipped those when guessing,”Markert told Electronics Weekly.
And it was this that revealed that six digit PINs are no better than four digit PINs.
So,mainly because manufacturers limit the number of PIN unlocking attempts, a prudently chosen four-digit PIN is secure enough.
By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) – 2580 is there because it is a vertical column on a numeric keypad.
Deeper analysis indicated that the ideal blacklist for four-digit PINs would have to contain ~1,000 entries and differ slightly from the one deduced for Apple.
Further examining Apple’s blacklist technique, and its option for users to choose a blacklisted number after a warning, some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning, while others were compelled to set a new PIN that was not on the list.
On average, the PINs of both groups were equally difficult to guess.
Blacklists
The work will be presented as ‘This PIN can be easily guessed‘ at theIEEE Symposium on Security and Privacy in San Francisco in May 2020. This paper details the experimental blacklists, and draws conclusions on how blacklists might be improved.
One last bit of information was provided by the team:four and six-digit PINs are less secure than passwords, but more secure than pattern locks.
Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy worked with George Washington University.
The most common PINs
| Four digit | Six digit |
| 1234 | 123456 |
| 0000 | 654321 |
| 2580 | 111111 |
| 1111 | 000000 |
| 5555 | 123123 |
| 5683 | 666666 |
| 0852 | 121212 |
| 2222 | 112233 |
| 1212 | 789456 |
| 1998 | 159753 |
Photo credit:
Horst Görtz Institute for IT Security at Ruhr-Universität Bochum
Max Planck Institute for Security and Privacy in Bochum
