An assailant who doesn’t have access to this dataset may assume 4321 is more common than 18th, as I would’ve, and try it sooner. Not a great choice in that case.
If you want to be pedantic, it really isn't a number at all, it's a string of digits. A lot of "serial numbers" and "material part numbers" are not only not numbers, they're not even all digits.
Yeh, until your coworker thinks that he should be storing the phone numbers as an int in the database, and the ones in the Pacific northwest keep getting truncated (but only if they include the leading 1).
Numbers might be represented by numerals, but that doesn't mean every string of numerals is a number. If you need to know the difference, ask yourself if you'd ever do math with it, (add to it, subtract from it) if only principle.
>The card is the unique identifier assigned by the bank.
The account number is the unique identifier assigned by the bank. Your card is the physical "key" (password) to said account, and the PIN is your self chosen identifier (username).
Think of it this way: I can tell you my pin number and my bank account number all day long, it doesn't matter if you don't have my card. But if you had my card, you'd have a reasonable shot at guessing the PIN and gaining access. The card is the password.
The card is a physical representation of your account number, readable with a magstripe scanner. It's analogous to a username written on a scrap of paper.
Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.
> The card is a physical representation of your account number, readable with a magstripe scanner.
Which is no longer true for EMV cards, though. There, the chip contains some additional data which cannot be easily copied and which helps identify the card as a bona fide real card issued by a bank.
A more sensible way to break it down is by "something you have" (phone or YubiKey), "something you know" (password) and "something you are" (face or fingerprint).
Username and password are both something you know, so they count as just one factor. A card on the other hand is something you have, so combined with the PIN that's two factors.
It was so frustrating when I was studying mathematics, I feel like just one more dimension would make understanding lots of concepts much easier; for me there is simply not enough points to extrapolate from: 0D is the degenerate case, 1D is trivial, so only two, 2D and 3D, are left to play with. %(
By counting grid points it looks like codes in the form 0[1-9][32-99] are the least common with a few exceptions (like 0990 or 0987).
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
You made me wonder what my smartphone PIN actually is and now I can only access the device with the fingerprint reader. Usually my hands know what PIN to use, but apparently not when the brain gets involved. Guess I have to wait until I forget that I don't know that PIN.
It is probably still almost 10%, but we seem to imply that "frequency of a pin within the set of all 4 digit pins" is frequency of the pin amongst the population, but that means we're not counting people who, e.g., use 6 digit pins.
(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)
An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
I had the same question. It is the title of a Van Halen record album, also a section of the California legal code related to mental health, according to a simple search.
It's apparently the California law section number for restraining a mentally unwell person or something, so has law enforcement and slang usage, and there's a 1986 chart-topping song named after it. (I'd never heard of it either, but I'm not Californian.)
And Eddie’s amp model, the Peavey 5150. It’s become the de-facto standard for the more extreme metal bands.
When Eddie took the rights with him to Fender and they made the EVH 5150 (another fantastic amp), Peavey renamed this line to the 6505 series, so there you have another four-digit code to use.
Well the 5150 was Eddie’s Studio Postal Code, but if we are going down this road :-) I would like to point out at some point in time they run out of Sylvania 6L6 Power Tubes... then Peavey started with Chinese Ruby 6L6 Power Tubes for the EVH5150 and they dont sound the same...
Its the famous law for involuntary mental lockup in California, then referenced a lot in pop culture, probably most notably with a Van Halen album named after it. Its used in a lot of jokes, but also oppressively. I think we've seen some divorce court releases and such on how to "5150 my wife," how cops abuse it, etc.
To be fair that was decades ago. The mini-storage place I use now asks for your unit # AND your PIN. So it would be a lot harder to guess like described above.
The lock on your front door is more secure than the lock on your bedroom door. This tradeoff is for convenience, of course.
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
Probably worth noting that using another PIN like that to enter a storage facility is almost certainly a breach of terms of use. Such that, if you did anything in there that is not ok with everyone, they have easy legal recourse against you.
> A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
If it's ok to be so weak that it's trivial to enter like this, why have the lock at all? The cynical (and probably accurate) answer is that it's security theater designed to give customers warm fuzzy feelings cheaply and with low risk of lockout calls and maintainance issues. It does basically nothing to keep someone from taking your stuff.
It's weak, but I don't know if trivial is the right word. Like a bedroom lock, it does what it needs to do. First, the lock is probably there to make it easier for one remote security guy to monitor many locations after hours. They can be alerted when a door opens, has been ajar for a while and along with a camera, see what's going on. Other than that, you also want a lock to help keep the door closed to help keep climate control working efficiently, keep animals out, etc. Like I had been alluding to, when you rent a unit, you're told that you are responsible for locking your own unit with a specific, harder, lock, like a front door lock. If an attacker can get by this lock, entrance to the premises would have been possible as well.
On that note, I don't think the absence of a super strong lock on the front door of a storage place invites criminals. I live near open air storage facilities where anyone can just walk up to the units, like they're walking by cars on the street or in a parking lot. Thefts from storage units are just not big enough of an issue to require additional measures.
My mini storage place issued me a code that was just the number of my box and the year I was born. Knowing this, I could probably brute force someone else’s code in 30 seconds.
I'm sure they have cameras that could trace things back to you.
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
This reminds me of when I was in HS. There was a auto car wash that would print a number on a receipt for one to enter and get a carwash with. One day for whatever reason I just punched in 12 random numbers and it worked. And thats how I got free car washes all through high school...
> in most cases you don't need to search anywhere near that many
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
The biggest job of the front entrance gate at a mini-storage business is to keep random people from loitering in the area, so the cameras(/hypothetical people watching the feeds) have an easier time witnessing a break-in.
And even if the number is randomly generated, many devices accept any string of digits that end with the correct four digits. Pressing "12345" actually tests both codes "1234" and "2345".
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
Also true of those old "lockbox" key lockers that real estate agents use to "protect" the keys to your house.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
Yes! Back in the 1980s when long distance telephone was a thing, I used to dial (301) 737-2051 followed by a 5 digit pin to get access to a service that the let me enter a long distance call. It only took about 20-30 manual attempts for me to guess a valid 5 digit PIN! I'd just increment my guesses by 1 each time.
Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
> Almost one in 10 people use the same four-digit PIN
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
Hard not to ack that the common ones are the default values of most locks? Is akin to finding that the default admin password on many databases/servers/etc is not changed by the users?
139 comments
[ 2.6 ms ] story [ 206 ms ] threadIf you'll excuse me, I need to go fight some windmills.
I like that.
Or just the straight acronym of PAIN?
0. https://en.wikipedia.org/wiki/Numeronym
Numbers might be represented by numerals, but that doesn't mean every string of numerals is a number. If you need to know the difference, ask yourself if you'd ever do math with it, (add to it, subtract from it) if only principle.
- a figure or group of figures used to identify someone or something (Oxford dictionary)
- a numeral or combination of numerals or other symbols used to identify or designate (Merriam Webster's dictionary)
The account number is the unique identifier assigned by the bank. Your card is the physical "key" (password) to said account, and the PIN is your self chosen identifier (username).
Think of it this way: I can tell you my pin number and my bank account number all day long, it doesn't matter if you don't have my card. But if you had my card, you'd have a reasonable shot at guessing the PIN and gaining access. The card is the password.
Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.
Sure it can, the namespace is just within your account.
I am logging into account X (account number) as Person Y (PIN) with authorization Z (card)
A PIN is a password, not a username.
Which is no longer true for EMV cards, though. There, the chip contains some additional data which cannot be easily copied and which helps identify the card as a bona fide real card issued by a bank.
https://www.emv-connection.com/contact-chip-card-online-auth... (there's also some alternative authentication method that would work offline, i.e. just between the card and the payment terminal)
Or more like PIN is that password, and the card is the token.
Username and password are both something you know, so they count as just one factor. A card on the other hand is something you have, so combined with the PIN that's two factors.
They could have added grid-lines to reveal this information, for example.
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
We've replaced password sharing with PIN sharing.
(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
https://www.dictionary.com/e/slang/5150/
When Eddie took the rights with him to Fender and they made the EVH 5150 (another fantastic amp), Peavey renamed this line to the 6505 series, so there you have another four-digit code to use.
https://en.wikipedia.org/wiki/IBM_5150
M1 is - I think - the form they have to fill out to put you on a temporary hold.
* https://www.youtube.com/watch?v=OFxg1nB9yQ8
Poster: "I was ripping my dirt bike out in the snow and got pulled over!"
Commenter 1: "What for?"
Commenter 2: "5150."
Barcroft Station in California (elevation 3800 m) has house number 5150 over the door. You'd have to be crazy to want to work there.
"How about (digits)?"
"You can't use that one. Someone else has already chosen that."
"Wait, now I know someone else's PIN code. I could use that and it'd be logged under their name."
“Which password?”
“Any password.”
“Hunter2”
“Welcome!”
*
As a memory rule, astrisk looks like a star, asteriskos means ”little star” in greek and is related to asterology.
Every security mechanism is breakable with enough budget
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
Or do you mean they might prevent theft? Or deter it? It is my experience that they are pretty useless at both.
On that note, I don't think the absence of a super strong lock on the front door of a storage place invites criminals. I live near open air storage facilities where anyone can just walk up to the units, like they're walking by cars on the street or in a parking lot. Thefts from storage units are just not big enough of an issue to require additional measures.
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
https://en.wikipedia.org/wiki/De_Bruijn_sequence
It seems that you can do it in 10003 key presses. Calculation for this this exact example is in the Wikipedia page.
http://www.datagenetics.com/blog/september32012/
Most common PIN codes (2012) - https://news.ycombinator.com/item?id=40359736 - May 2024 (88 comments)
PIN number analysis (2012) - https://news.ycombinator.com/item?id=17670173 - Aug 2018 (72 comments)
Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)
The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)
PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)
PIN number analysis - https://news.ycombinator.com/item?id=5124024 - Jan 2013 (82 comments)
PIN Number Analysis - https://news.ycombinator.com/item?id=4654337 - Oct 2012 (2 comments)
Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
https://www.reddit.com/r/dataisbeautiful/comments/1cn7l7r/oc...
Also consider this scene from Trainspotting 2: https://www.youtube.com/watch?v=2EQCpQbUrzI :)
Loved the visualisation and the fact that 2902/0229 are noticeably lighter than surroundings.
“$10.77. Same as my PIN number.”
"1-1-1-uh-1!"
Four digit PINs are a fine solution in many contexts.
A bigger problem is always going all in nuclear when it comes to security. If the solution is impossible to use, no one gives a shit about security.