139 comments

[ 2.6 ms ] story [ 206 ms ] thread
I mixed it up though and did 4-3-2-1
the 18th most popular code, good choice
Could be! We just need to know the median number of tries a system allows before locking you out.
An assailant who doesn’t have access to this dataset may assume 4321 is more common than 18th, as I would’ve, and try it sooner. Not a great choice in that case.
This is the same combination I have on my luggage.
My luggage is more secure, it has a 5 at the end.
Then it isn't a personal identification number. We should call them PANs, or Personal Authentication Number.

If you'll excuse me, I need to go fight some windmills.

It identifies your authentication number ;)
So a Personal Authentication Identification Number?

I like that.

P43r, a space-included numeronym[0] pronounced like Paer?

Or just the straight acronym of PAIN?

0. https://en.wikipedia.org/wiki/Numeronym

  printf "\n%s\t%s\n\n" $(uname) $SHELL; wrd="$(pbpaste | tr -d '\n')"; printf "%s%s%s\n" "$(echo "$wrd" | sed 's;^\(.\).*$;\1;')" "$(expr $(pbpaste | wc -m | tr -d ' ') - 2)" "$(echo "$wrd" | sed 's;^.*\(.\)$;\1;')"
  
  Darwin /bin/zsh
  
  P43r
So can we call it a 'PAN number'?
Only if we use it to access the ATM machine.
If you want to be pedantic, it really isn't a number at all, it's a string of digits. A lot of "serial numbers" and "material part numbers" are not only not numbers, they're not even all digits.
If we're being pedantic then they ARE numbers, even the ones with letters. They're just not in base10.
Yeh, until your coworker thinks that he should be storing the phone numbers as an int in the database, and the ones in the Pacific northwest keep getting truncated (but only if they include the leading 1).

Numbers might be represented by numerals, but that doesn't mean every string of numerals is a number. If you need to know the difference, ask yourself if you'd ever do math with it, (add to it, subtract from it) if only principle.

Ugh, for anyone reading this, please store your phone numbers as E164. There is no need to re-invent the wheel.
number (noun):

- a figure or group of figures used to identify someone or something (Oxford dictionary)

- a numeral or combination of numerals or other symbols used to identify or designate (Merriam Webster's dictionary)

The pin isn't the security, your physical card is. Pins are usernames, cards are passwords.
I think that’s exactly opposite. The card is the unique identifier assigned by the bank. We could all share the same PIN.
>The card is the unique identifier assigned by the bank.

The account number is the unique identifier assigned by the bank. Your card is the physical "key" (password) to said account, and the PIN is your self chosen identifier (username).

Think of it this way: I can tell you my pin number and my bank account number all day long, it doesn't matter if you don't have my card. But if you had my card, you'd have a reasonable shot at guessing the PIN and gaining access. The card is the password.

The card is a physical representation of your account number, readable with a magstripe scanner. It's analogous to a username written on a scrap of paper.

Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.

>Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.

Sure it can, the namespace is just within your account.

I am logging into account X (account number) as Person Y (PIN) with authorization Z (card)

Except my wife and I can both have the same PIN, so it's still not a unique identifier.

A PIN is a password, not a username.

Person Y and Person Z on account X could use the same PIN with different cards. A PIN is not an identifier.
> The card is a physical representation of your account number, readable with a magstripe scanner.

Which is no longer true for EMV cards, though. There, the chip contains some additional data which cannot be easily copied and which helps identify the card as a bona fide real card issued by a bank.

https://www.emv-connection.com/contact-chip-card-online-auth... (there's also some alternative authentication method that would work offline, i.e. just between the card and the payment terminal)

True, but for analogy purposes, it still maps back to a specific account somewhere.
Still doesn't make the PIN the username. You can have two passwords. The PIN is closer to the MFA code.

Or more like PIN is that password, and the card is the token.

My bank has more than 10k customers, despite four digit PINs.
A more sensible way to break it down is by "something you have" (phone or YubiKey), "something you know" (password) and "something you are" (face or fingerprint).

Username and password are both something you know, so they count as just one factor. A card on the other hand is something you have, so combined with the PIN that's two factors.

Beautiful visualisation - I just wish I could hover over the grid and see which PIN my cursor is pointing at.
It's nice but also flawed because you can't easily see if the first two digits are the same. Or the last two digits.
yeah, i too feel limited by our 3 spatial dimensions
It was so frustrating when I was studying mathematics, I feel like just one more dimension would make understanding lots of concepts much easier; for me there is simply not enough points to extrapolate from: 0D is the degenerate case, 1D is trivial, so only two, 2D and 3D, are left to play with. %(
color, fill, texture, shape - that gets you up to 7
doesn't work, those dimensions aren't bijections to the reals
It's up to the designer to deal with any physical limitations.

They could have added grid-lines to reveal this information, for example.

By counting grid points it looks like codes in the form 0[1-9][32-99] are the least common with a few exceptions (like 0990 or 0987).

I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.

Kind of like GitHub's contribution graph? Which is an awesome little piece of design.
The other problem is that people use the same PIN on their smartphones and debit cards, for example, because who can remember multiple PINs?

We've replaced password sharing with PIN sharing.

You made me wonder what my smartphone PIN actually is and now I can only access the device with the fingerprint reader. Usually my hands know what PIN to use, but apparently not when the brain gets involved. Guess I have to wait until I forget that I don't know that PIN.
My two bank apps require a pin for “fast access” rather than a password, it drives me crazy. I have a PW manager, let me use a safe password!
It is probably still almost 10%, but we seem to imply that "frequency of a pin within the set of all 4 digit pins" is frequency of the pin amongst the population, but that means we're not counting people who, e.g., use 6 digit pins.

(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)

popular ones must be better - otherwise why would they be popular?
Nice to see 1-2-1-2 listed, the PIN of soundcheck guys everywhere.
I had an Italian sound engineer pal and a Czech one too...
An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.

Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.

Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.

What is "5150" well known for?
I had the same question. It is the title of a Van Halen record album, also a section of the California legal code related to mental health, according to a simple search.
It's apparently the California law section number for restraining a mentally unwell person or something, so has law enforcement and slang usage, and there's a 1986 chart-topping song named after it. (I'd never heard of it either, but I'm not Californian.)
One of the best Van Halen albums?
And Eddie’s amp model, the Peavey 5150. It’s become the de-facto standard for the more extreme metal bands.

When Eddie took the rights with him to Fender and they made the EVH 5150 (another fantastic amp), Peavey renamed this line to the 6505 series, so there you have another four-digit code to use.

Well the 5150 was Eddie’s Studio Postal Code, but if we are going down this road :-) I would like to point out at some point in time they run out of Sylvania 6L6 Power Tubes... then Peavey started with Chinese Ruby 6L6 Power Tubes for the EVH5150 and they dont sound the same...
Its the famous law for involuntary mental lockup in California, then referenced a lot in pop culture, probably most notably with a Van Halen album named after it. Its used in a lot of jokes, but also oppressively. I think we've seen some divorce court releases and such on how to "5150 my wife," how cops abuse it, etc.
Around these parts, we call it an "M1 hold"

M1 is - I think - the form they have to fill out to put you on a temporary hold.

As a Van Halen fan, I think of it because of the album titled "5150". But it has other well known uses as well.
Color me a bit sad to not see 2112 make the list.
Based on the legal code, around here it's slang for "crazy".

Poster: "I was ripping my dirt bike out in the snow and got pulled over!"

Commenter 1: "What for?"

Commenter 2: "5150."

Barcroft Station in California (elevation 3800 m) has house number 5150 over the door. You'd have to be crazy to want to work there.

(comment deleted)
(comment deleted)
"You need to choose an access PIN."

"How about (digits)?"

"You can't use that one. Someone else has already chosen that."

"Wait, now I know someone else's PIN code. I could use that and it'd be logged under their name."

So the system allowed multiple users to chose their own Pin and didn’t ask for a user ID when authenticating? That’s just stupid design.
What’s the password?

Which password?

Any password.

Hunter2

Welcome!

Is it? it is just a gate
Well we just got told how someone who forgot their pin managed to get in, so it probably doesn’t work. I would call that stupid.
Depends what is inside.

Every security mechanism is breakable with enough budget

To be fair that was decades ago. The mini-storage place I use now asks for your unit # AND your PIN. So it would be a lot harder to guess like described above.
The lock on your front door is more secure than the lock on your bedroom door. This tradeoff is for convenience, of course.

A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.

Probably worth noting that using another PIN like that to enter a storage facility is almost certainly a breach of terms of use. Such that, if you did anything in there that is not ok with everyone, they have easy legal recourse against you.
Probably limited to termination of your rental.
Would depend what else you did, I presume? I also just meant this as an "in addition" to the idea that it isn't aiming for fool proof protection.
> A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit.

You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.

Of course, cars beat entrance gates pretty easily too.

Hopefully they have cameras in there.
They're hardly worth stealing.

Or do you mean they might prevent theft? Or deter it? It is my experience that they are pretty useless at both.

If it's ok to be so weak that it's trivial to enter like this, why have the lock at all? The cynical (and probably accurate) answer is that it's security theater designed to give customers warm fuzzy feelings cheaply and with low risk of lockout calls and maintainance issues. It does basically nothing to keep someone from taking your stuff.
dissuading the least motivated perpetrators, ability to add a "breaking and entering" charge perhaps?
It's weak, but I don't know if trivial is the right word. Like a bedroom lock, it does what it needs to do. First, the lock is probably there to make it easier for one remote security guy to monitor many locations after hours. They can be alerted when a door opens, has been ajar for a while and along with a camera, see what's going on. Other than that, you also want a lock to help keep the door closed to help keep climate control working efficiently, keep animals out, etc. Like I had been alluding to, when you rent a unit, you're told that you are responsible for locking your own unit with a specific, harder, lock, like a front door lock. If an attacker can get by this lock, entrance to the premises would have been possible as well.

On that note, I don't think the absence of a super strong lock on the front door of a storage place invites criminals. I live near open air storage facilities where anyone can just walk up to the units, like they're walking by cars on the street or in a parking lot. Thefts from storage units are just not big enough of an issue to require additional measures.

My mini storage place issued me a code that was just the number of my box and the year I was born. Knowing this, I could probably brute force someone else’s code in 30 seconds.
I'm sure they have cameras that could trace things back to you.

In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."

But this is coming from a culture that's rather communal where shared property is often the default.

That's called a dictionary attack and it's one rung above bruteforcing
This reminds me of when I was in HS. There was a auto car wash that would print a number on a receipt for one to enter and get a carwash with. One day for whatever reason I just punched in 12 random numbers and it worked. And thats how I got free car washes all through high school...
Ofc whenever I need a insecure four-digit pin I use 2501 - so people will know me when they meet me again.
> in most cases you don't need to search anywhere near that many

If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.

The biggest job of the front entrance gate at a mini-storage business is to keep random people from loitering in the area, so the cameras(/hypothetical people watching the feeds) have an easier time witnessing a break-in.
And even if the number is randomly generated, many devices accept any string of digits that end with the correct four digits. Pressing "12345" actually tests both codes "1234" and "2345".

I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.

Also true of those old "lockbox" key lockers that real estate agents use to "protect" the keys to your house.

This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.

Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.

This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.

Yes! Back in the 1980s when long distance telephone was a thing, I used to dial (301) 737-2051 followed by a 5 digit pin to get access to a service that the let me enter a long distance call. It only took about 20-30 manual attempts for me to guess a valid 5 digit PIN! I'd just increment my guesses by 1 each time.
I'm disappointed I couldn't mouse over the grid to find my PIN and see how popular it is...
This is a really belated blogspam repost. Original:

http://www.datagenetics.com/blog/september32012/

The new link has some pretty good viz going on, so at lest they put a lot of effort into re-presenting the data.
"blogspam" is a bit harsh - it's based on a different dataset, and if you scroll down they do acknowledge Nick Berry's old analysis.
Discussed several times on HN btw:

Most common PIN codes (2012) - https://news.ycombinator.com/item?id=40359736 - May 2024 (88 comments)

PIN number analysis (2012) - https://news.ycombinator.com/item?id=17670173 - Aug 2018 (72 comments)

Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)

The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)

PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)

PIN number analysis - https://news.ycombinator.com/item?id=5124024 - Jan 2013 (82 comments)

PIN Number Analysis - https://news.ycombinator.com/item?id=4654337 - Oct 2012 (2 comments)

Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)

Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
> Almost one in 10 people use the same four-digit PIN

I can't think of the PIN 1234 without immediately thinking of Dark Helmet:

"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA

I'm flatly amazed "1701" isn't in the top 50.
I’d like to think Trek watchers are smarter than that.
I know people with "8472" as well.
Oh good, my favorite Rush song is still safe.
Actually 2112 is slightly elevated in the other reddit heatmap someone linked that you can zoom in on.
The post is much better than the clickbaity title suggests.

Loved the visualisation and the fact that 2902/0229 are noticeably lighter than surroundings.

it seems like my pin of 1077, the same as a cheese pizza and soda at my old job, is still super secure.
“So, what do I owe you?”

“$10.77. Same as my PIN number.”

Far better to use a six digit pin, like 0-0-0-0-0-0.
Sounds like the Team Fortress 2 "Meet the Spy" PIN

"1-1-1-uh-1!"

(comment deleted)
(comment deleted)
What a beautiful infoviz presentation, esp for a major news site. Good work Julian Fell and Teresa Tan!
Hard not to ack that the common ones are the default values of most locks? Is akin to finding that the default admin password on many databases/servers/etc is not changed by the users?
That being said, you usually need the matching gadget/account as well.

Four digit PINs are a fine solution in many contexts.

A bigger problem is always going all in nuclear when it comes to security. If the solution is impossible to use, no one gives a shit about security.