95 comments

[ 2.1 ms ] story [ 173 ms ] thread
I think the least common PIN codes are fascinating. I'm surprised by the number of 7s in these. They looks like numbers you would end up with if you asked someone to think of a random 4 digit number.

List transcribed by ChatGPT: 8557, 8438, 9539, 7063, 6827, 0859, 6793, 0738, 6835, 8093, 9047, 0439, 8196, 6693, 7394, 9480, 8398, 7637, 9629, 8068.

During tax season (in US), for security, you may optionally create a 5 digit pin. I wanted mine to be unaffiliated with any existing pin I have, and chose a 'random' number and wrote it down. A year later I repeated this (and had long since forgotten the previous pin), went to go write it in the same place, and saw that both 'random' numbers had the same first four digits. I now use a computer to choose random numbers because I no longer trust myself to be random.
I thought the self selected PIN for filing a return was required for online filing, and that it was just an indicator of intent, like a signature.

Does it serve a security function? Am I supposed to remember what it is?

I know the IRS does have an identity protection PIN process, but that's separate.

I know about the identity protection PIN, so I've been assuming this whole time that's what I was choosing a number for. It is possible I was just doing the self selected PIN and wasn't aware that I should be doing something additional for other one. FWIW I haven't needed the PIN later but saved them in case I did.
(comment deleted)
not a single least common pin contains all prime number which is interesting
I think the venn diagram of “people who find primes interesting” and “people who understand password security” is pretty close to a circle.
3,5,7 line up on the diagonal, leaving 2 as the only other prime. So people using physical patters are likely to choose them. Not to mention any mathematically inclined person may also choose all primes.
Quick, we should all use the least common pin numbers.

I switched my passwords to correct-horse-battery-staple and now I'm super secure.

I'm using correct-horce-battery-staple to fool those pesky kids with dictionaries.
l337 converter gives: c0rr3c7-h0r53-b4773ry-574pl3.
Veritasium says 37 is the most frequently-encountered number people pick between 1 and 100. I guess people subconsciously just want to be 1337.

https://youtu.be/U6fxkOL83V4

most frequently-encountered RANDOM number people pick
I changed mine to Hunter2. LOL at least it HN strips out your password when you type it in a comment.
Previous discussion:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - (56 points, 18 comments, 5 days ago)

Thanks! Macroexpanded:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - May 2024 (19 comments)

Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)

The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)

PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)

Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)

(https://news.ycombinator.com/item?id=40306374 didn't get any frontpage time so we won't treat current post as a dupe)

Glad to know my choice of code is relatively unused I guess
Looks like my PIN code, 4968, is pretty secure. I recommend using that one if you aren't already.
(comment deleted)
What is your pin code? All I see is ****.
(comment deleted)
Seeing my pin as one of the least common ... guess I need to change my pin because they're about to be some of the most common...
I've change my PIN codes to use the least used ones now. Nobody can guess them so I am very secure.
If we start picking the least popular pin codes they'll stop being the least popular. What a tragedy
Funny/stupid anecdote: a bunch of my kids' friends have the same phone unlock PIN as me because I set my son's new phone PIN the same as mine so he would also be able to unlock my phone if necessary.

When his friends started getting phones as well, they copied his. This has migrated through some of the friends' siblings as well.

One of my kids friends uses the same pin as I had when he was a kid. I would give him and my kid my debit card and they would go get pizza if they cleaned my office.
(comment deleted)
Not that many futurama fans in those data breaches ...
1077
> Anderson: "So. What do I owe you?"

> Fry: "10.77. Same as my PIN number."

So many silly scenes like this. I want to re-watch Futurama because last time I watched it was as a teenager, so I'm sure I missed many of subtle jokes.

Whenever I'm asked for a 4 digit PIN: `echo $[RANDOM%10000]`
You should probably use SRANDOM; less bias from the modulo (32 bits instead of 15) and uses arc4random or /dev/urandom if available.
I'll remember to prioritise 0000 to 2767 for your PINs, then.
Just so you can see the bias to early numbers in the distribution:

    for i in $(seq 1000000); do
        echo $[RANDOM%10000]; 
    done | sort -n | uniq -c | sort -rn | gnuplot -e "set terminal dumb; set xtics 1000; plot '< cat' using 0:1 with boxes"
I think this gnuplot command makes the bias much more obvious (and even better with -persist and "set terminal x11"): gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"

Compare to the version that discards values over 3e4:

  for i in $(seq 1000000); do x=$((RANDOM)); while test $x -gt 30000;do x=$((RANDOM)); done; echo $((x%10000));      done |sort|uniq -c |sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
Or the version that uses the 32-bit SRANDOM, which reduces the bias by a factor of 2**17:

  for i in $(seq 1000000); do         echo $((SRANDOM%10000));      done | sort -n | uniq -c | sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
Just needs an 'enter your PIN code to see how common it is!'.
1234!? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
1-2-3-4, that's amazing, I have the same combination on my luggage!
(sigh) 1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!
(comment deleted)
I have a pin lock on a shared device, that friends use occassionally. Of the three friends I have given guest access to, all three asked for their pin to be 1234, to which I said no. One had the audacity to follow up with 123456
Thank you so much. This is the comment I was hoping for in this thread.
For serious though - one reason such utterly trivial codes are common are because the "lock" is just use as a fancy way of preventing the zipper from coming undone.

Likewise, on the internet, a lot of things prompt for passwords that really don't need them. People create throwaway accounts and use them as if they were temporary anonymous sessions.

Trust me, for the luggage this is a brilliant combination. Or something like 0000. Unless I work for a 3-letter institute, I leave all luggage to their default or the usual. If someone steals a luggage, that PIN is least of the problem but everyone else in the household will if you forgot your super-smart PIN.

Edit: The joke hit me a tad late. ;-)

I like that '1701' is lite up brightly in there... Please excuse me while I go and change my PIN.
I was disappointed that my typical PIN for low security things like the snack storage closet at work, 2112, isn't there. I figured there would be more Rush fans than there are I guess.
(comment deleted)
If this site did have a field where you could enter a pin to see how common it was, you could make a really targeted phishing attack by sending the link to someone whose pin you want to know, then looking at what they click on or enter ("I'll just see how good my pin is...")
TIL brute-forcing from 0000 to 9999 is a decent strategy.
In (game) Rust, the players can use 4 digit keylocks to secure their bases and brute forcing is indeed a strategy. The lock zaps and eventually kills you but even with that, a determined player can eventually get in.
61 pins are used by 1/3rd of all people. So statistically, if I steal 61 debit cards, assuming I have 3 tries, and assuming people choose their own pin, I should be able to get cash off one in expectation.
Honestly that sounds sufficiently secure for what it is.
18% of people use the top 3 pins, so you would need 6 cards to expect to get 1. 56 cards would give you an expectation of 10.