"PIN number" is just a shorthand for "number that is a PIN." Never understood the pedantry on this one; when spoken (a lossy channel of communication), "PIN" is similar enough to "pin" and "pen" and "pan" that people have found the need to further disambiguate to be understood.
>"PIN number" is just a shorthand for "number that is a PIN."
No it's not. "What is your debit PIN number" is not short for "what is your debit number that is a pin".
Nearly everyone that gets called out for it isn't really thinking about what PIN stands for and they certainly don't lamely defend it with this disambiguation excuse. The context in which people ask for someone's PIN essentially never has any accidental swap with "pen" or "pan".
"Type your pan on the keypad."
"Choose a 4-digit pen."
Please, English is bad enough, don't bury it with more bullshit.
While annoying to me as well (the title of this post almost seems like it was intended to invite this argument), I think it can be reconciled with by treating it as [proper noun] [noun].
As in, "PIN" is a name – not a macro that is supposed to expand to the decompressed phrase – and "number" is the kind. The name disambiguates it from others of the same kind, and the kind sometimes helps to disambiguate the name:
"Enter your number" vs. "Enter your pin" vs. "Enter your pin number"
"Go there and talk to the guy named Bob" vs. "Go there and talk to Bob"
> … it’s staggering how popular this password appears to be. Utterly staggering at the lack of imagination …
It's also staggering how often a system requires a passcode but the operator's of the system don't want to use one, or the system needs to be provided with a known passcode so the client can log into it for the first time.
Often, also, passcodes serve as courtesy locks, where the intention isn't to make it impossible to gain access (far from it, often on industrial systems you might need night shift to be able to get in and change settings in an emergency) but to signal to an operator that they're entering an area of the program where they shouldn't touch anything without explicit instructions.
In either of these cases, an easily guessable (I'd go so far as to say 'standard') PIN strikes the right balance between no security at all, and actually keeping out people who might need access.
This is completely avoidable, you simply don't allow people to pick their own PIN. Banks don't allow you to pick your credit/debit card PIN, and I would assume that this is precisely one of the reasons why.
I do this too, with the result that I constantly forget my credit card PIN. It's extremely annoying but I don't really want to change it either for the reasons in the article.
i used the first number that the bank generated for me and i'm changing all the pins to be the same. it's better than picking 1234, but not the safest option. but again, i'm lazy...
in my defence, i'm using 2 pins, one for all debit cards, one for all credit cards.
Indeed I've only got 2 pins across all cards. My reasoning is if I'm half asleep and put the wrong pin in once I can just use the other. If I had more than one I might mess up 3 times and my card is swallowed by the machine and I have to get a new one sent out
This is mainly a recent change, as with contactless I rarely have to use the PIN
A compromise could be variations of the main pin, like replacing one digit with one from the card number. Since the only real attack on pins is a combined peek-then-rob attack, a variation like that should be enough to avoid damage spillover to the unpeeked cards.
If one wanted to go all geek, one could of course do some mental hashing, e.g. by using the digits of the primary pin as indices into the string of digits prominently printed on the secondary card.
Pins are a bit of a safe playground for schemes like that, because the schemes are never significantly more unsafe than the best four-digit number.
All banks in India post your card by mail to you & send a one-time use PIN as SMS on your registered mobile number. To activate card after you receive, you have to use bank's own network ATM, insert card & type that SMS PIN & then create a new PIN.
Some banks enforce to change this PIN yearly on date Card was issued, & some others enforce that you can not use 3+ repetitive digits and/or your last N PINs, n being most commonly 10.
I'm surprised that 1004 is that high up. I doubt it merely has to do with the Korean significance, unless the data source is heavily skewed towards PIN usage by Koreans.
Aside from the top two passwords (~17%), the distribution is not so bad. The next five passwords are only 5% of the distribution, which is much more reasonable. With 10^4 possible combinations, these obviously weren't designed to prevent a brute-force attack on their own. For example, with bank accounts the bank card provides a second factor and access attempts are monitored.
There's also little point in hashing a 4-digit PIN. If the PINs were perfectly distributed, it would only take an average of 5,000 guesses to find the original PIN given the hash. Of course, this analysis has shown that they're anything but perfectly distributed; a quarter of them would take less than 20 tries.
AFAICT, brute-forcing of short PINs is usually prevented by locking up after a few failed attempts.
E.g. with a phone SIM card's PIN, you theoretically have the laughable space of 10000 variants, but you only get to try 9 times, the 10th should either be correct, or the SIM card stops working. This gives you about 1% chance of guessing right. With trying the common PINs first, likely maybe 10% chance. Still makes an attempt to break in impractical in very many cases.
Given that these are pulled from breaches, it's very likely these are from fake accounts that used a simple password to create many accounts using bots.
Would be interesting to look at the email addresses associated and see if you can see a pattern and maybe filter those out.
>I’m not going to sell, donate or release the source data – don’t ask!
This is absolutely stupid. You can reverse the dataset almost completely from the provided data (images and fixed points).
FFS it's only a two column spreadsheet with columns "pin" and "count"/"frequency". It has no additional security implications after the release of this article.
73 comments
[ 2.4 ms ] story [ 132 ms ] threadIt's not a PIN number
You can't have a Personal Identification Number Number
I get that it's what people say, but that doesn't make it right.
/rant
The Department of Redundancy Department are hiring.
No it's not. "What is your debit PIN number" is not short for "what is your debit number that is a pin".
Nearly everyone that gets called out for it isn't really thinking about what PIN stands for and they certainly don't lamely defend it with this disambiguation excuse. The context in which people ask for someone's PIN essentially never has any accidental swap with "pen" or "pan".
"Type your pan on the keypad."
"Choose a 4-digit pen."
Please, English is bad enough, don't bury it with more bullshit.
[1] https://en.wikipedia.org/wiki/RAS_syndrome
As in, "PIN" is a name – not a macro that is supposed to expand to the decompressed phrase – and "number" is the kind. The name disambiguates it from others of the same kind, and the kind sometimes helps to disambiguate the name:
"Enter your number" vs. "Enter your pin" vs. "Enter your pin number"
"Go there and talk to the guy named Bob" vs. "Go there and talk to Bob"
Neat
It's also staggering how often a system requires a passcode but the operator's of the system don't want to use one, or the system needs to be provided with a known passcode so the client can log into it for the first time.
Often, also, passcodes serve as courtesy locks, where the intention isn't to make it impossible to gain access (far from it, often on industrial systems you might need night shift to be able to get in and change settings in an emergency) but to signal to an operator that they're entering an area of the program where they shouldn't touch anything without explicit instructions.
In either of these cases, an easily guessable (I'd go so far as to say 'standard') PIN strikes the right balance between no security at all, and actually keeping out people who might need access.
in my defence, i'm using 2 pins, one for all debit cards, one for all credit cards.
This is mainly a recent change, as with contactless I rarely have to use the PIN
If one wanted to go all geek, one could of course do some mental hashing, e.g. by using the digits of the primary pin as indices into the string of digits prominently printed on the secondary card.
Pins are a bit of a safe playground for schemes like that, because the schemes are never significantly more unsafe than the best four-digit number.
Some banks enforce to change this PIN yearly on date Card was issued, & some others enforce that you can not use 3+ repetitive digits and/or your last N PINs, n being most commonly 10.
Only if they know you’re a geek. The above fact won’t reach John Doe and influence his PIN choice.
"The combination is 1...2...3...4...5..."
"That's the stupidest combination I ever heard in my life... That's the kind of thing an idiot would have on his luggage."
http://www.globalzero.org/files/bb_keeping_presidents_in_the...
There's also little point in hashing a 4-digit PIN. If the PINs were perfectly distributed, it would only take an average of 5,000 guesses to find the original PIN given the hash. Of course, this analysis has shown that they're anything but perfectly distributed; a quarter of them would take less than 20 tries.
E.g. with a phone SIM card's PIN, you theoretically have the laughable space of 10000 variants, but you only get to try 9 times, the 10th should either be correct, or the SIM card stops working. This gives you about 1% chance of guessing right. With trying the common PINs first, likely maybe 10% chance. Still makes an attempt to break in impractical in very many cases.
Ftfy
Would be interesting to look at the email addresses associated and see if you can see a pattern and maybe filter those out.
This is absolutely stupid. You can reverse the dataset almost completely from the provided data (images and fixed points).
FFS it's only a two column spreadsheet with columns "pin" and "count"/"frequency". It has no additional security implications after the release of this article.