An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
The lock on your front door is more secure than the lock on your bedroom door. This tradeoff is for convenience, of course.
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
> A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
If it's ok to be so weak that it's trivial to enter like this, why have the lock at all? The cynical (and probably accurate) answer is that it's security theater designed to give customers warm fuzzy feelings cheaply and with low risk of lockout calls and maintainance issues. It does basically nothing to keep someone from taking your stuff.
It's weak, but I don't know if trivial is the right word. Like a bedroom lock, it does what it needs to do. First, the lock is probably there to make it easier for one remote security guy to monitor many locations after hours. They can be alerted when a door opens, has been ajar for a while and along with a camera, see what's going on. Other than that, you also want a lock to help keep the door closed to help keep climate control working efficiently, keep animals out, etc. Like I had been alluding to, when you rent a unit, you're told that you are responsible for locking your own unit with a specific, harder, lock, like a front door lock. If an attacker can get by this lock, entrance to the premises would have been possible as well.
On that note, I don't think the absence of a super strong lock on the front door of a storage place invites criminals. I live near open air storage facilities where anyone can just walk up to the units, like they're walking by cars on the street or in a parking lot. Thefts from storage units are just not big enough of an issue to require additional measures.
Probably worth noting that using another PIN like that to enter a storage facility is almost certainly a breach of terms of use. Such that, if you did anything in there that is not ok with everyone, they have easy legal recourse against you.
My mini storage place issued me a code that was just the number of my box and the year I was born. Knowing this, I could probably brute force someone else’s code in 30 seconds.
I'm sure they have cameras that could trace things back to you.
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
This reminds me of when I was in HS. There was a auto car wash that would print a number on a receipt for one to enter and get a carwash with. One day for whatever reason I just punched in 12 random numbers and it worked. And thats how I got free car washes all through high school...
> in most cases you don't need to search anywhere near that many
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
Yes! Back in the 1980s when long distance telephone was a thing, I used to dial (301) 737-2051 followed by a 5 digit pin to get access to a service that the let me enter a long distance call. It only took about 20-30 manual attempts for me to guess a valid 5 digit PIN! I'd just increment my guesses by 1 each time.
And even if the number is randomly generated, many devices accept any string of digits that end with the correct four digits. Pressing "12345" actually tests both codes "1234" and "2345".
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
Also true of those old "lockbox" key lockers that real estate agents use to "protect" the keys to your house.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
To be fair that was decades ago. The mini-storage place I use now asks for your unit # AND your PIN. So it would be a lot harder to guess like described above.
It's apparently the California law section number for restraining a mentally unwell person or something, so has law enforcement and slang usage, and there's a 1986 chart-topping song named after it. (I'd never heard of it either, but I'm not Californian.)
I had the same question. It is the title of a Van Halen record album, also a section of the California legal code related to mental health, according to a simple search.
And Eddie’s amp model, the Peavey 5150. It’s become the de-facto standard for the more extreme metal bands.
When Eddie took the rights with him to Fender and they made the EVH 5150 (another fantastic amp), Peavey renamed this line to the 6505 series, so there you have another four-digit code to use.
Well the 5150 was Eddie’s Studio Postal Code, but if we are going down this road :-) I would like to point out at some point in time they run out of Sylvania 6L6 Power Tubes... then Peavey started with Chinese Ruby 6L6 Power Tubes for the EVH5150 and they dont sound the same...
Its the famous law for involuntary mental lockup in California, then referenced a lot in pop culture, probably most notably with a Van Halen album named after it. Its used in a lot of jokes, but also oppressively. I think we've seen some divorce court releases and such on how to "5150 my wife," how cops abuse it, etc.
The biggest job of the front entrance gate at a mini-storage business is to keep random people from loitering in the area, so the cameras(/hypothetical people watching the feeds) have an easier time witnessing a break-in.
> Almost one in 10 people use the same four-digit PIN
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
By counting grid points it looks like codes in the form 0[1-9][32-99] are the least common with a few exceptions (like 0990 or 0987).
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
It was so frustrating when I was studying mathematics, I feel like just one more dimension would make understanding lots of concepts much easier; for me there is simply not enough points to extrapolate from: 0D is the degenerate case, 1D is trivial, so only two, 2D and 3D, are left to play with. %(
Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
You made me wonder what my smartphone PIN actually is and now I can only access the device with the fingerprint reader. Usually my hands know what PIN to use, but apparently not when the brain gets involved. Guess I have to wait until I forget that I don't know that PIN.
When I need a pin, I use uuidgen and grab the first four decimal digits. (I guess that could potentially include the `4` but it hasn't happened yet and the odds are low.) I guess I'd better screen some of them out!
True story: friend had a bank (in the 1990s) randomly generate a PIN of 2222 for him. He got it reset.
The money is also protected by your financial institution's fraud detection. I've had everything from ATM transactions to store purchases flagged as fraud despite having the correct PIN and the physical card.
It is probably still almost 10%, but we seem to imply that "frequency of a pin within the set of all 4 digit pins" is frequency of the pin amongst the population, but that means we're not counting people who, e.g., use 6 digit pins.
(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)
I think a pin is only supposed to be a second line of defense, like entering your zip code with your credit card. People who use 1234 as an ATM pin think their card prolly won;t get stolen, and if it is, the machines all have cameras so you can see the thief picking his nose.
For anything where I can set/reset the PIN with the card already in possession (which is pretty much everything it seems), I just have an algorithm I use based off of the actual card details, so I never have to memorize anything.
Hard not to ack that the common ones are the default values of most locks? Is akin to finding that the default admin password on many databases/servers/etc is not changed by the users?
>The card is the unique identifier assigned by the bank.
The account number is the unique identifier assigned by the bank. Your card is the physical "key" (password) to said account, and the PIN is your self chosen identifier (username).
Think of it this way: I can tell you my pin number and my bank account number all day long, it doesn't matter if you don't have my card. But if you had my card, you'd have a reasonable shot at guessing the PIN and gaining access. The card is the password.
The card is a physical representation of your account number, readable with a magstripe scanner. It's analogous to a username written on a scrap of paper.
Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.
> The card is a physical representation of your account number, readable with a magstripe scanner.
Which is no longer true for EMV cards, though. There, the chip contains some additional data which cannot be easily copied and which helps identify the card as a bona fide real card issued by a bank.
A more sensible way to break it down is by "something you have" (phone or YubiKey), "something you know" (password) and "something you are" (face or fingerprint).
Username and password are both something you know, so they count as just one factor. A card on the other hand is something you have, so combined with the PIN that's two factors.
An assailant who doesn’t have access to this dataset may assume 4321 is more common than 18th, as I would’ve, and try it sooner. Not a great choice in that case.
If you want to be pedantic, it really isn't a number at all, it's a string of digits. A lot of "serial numbers" and "material part numbers" are not only not numbers, they're not even all digits.
Yeh, until your coworker thinks that he should be storing the phone numbers as an int in the database, and the ones in the Pacific northwest keep getting truncated (but only if they include the leading 1).
Numbers might be represented by numerals, but that doesn't mean every string of numerals is a number. If you need to know the difference, ask yourself if you'd ever do math with it, (add to it, subtract from it) if only principle.
An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
The lock on your front door is more secure than the lock on your bedroom door. This tradeoff is for convenience, of course.
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
> A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
Hopefully they have cameras in there.
They're hardly worth stealing.
Or do you mean they might prevent theft? Or deter it? It is my experience that they are pretty useless at both.
If it's ok to be so weak that it's trivial to enter like this, why have the lock at all? The cynical (and probably accurate) answer is that it's security theater designed to give customers warm fuzzy feelings cheaply and with low risk of lockout calls and maintainance issues. It does basically nothing to keep someone from taking your stuff.
It's weak, but I don't know if trivial is the right word. Like a bedroom lock, it does what it needs to do. First, the lock is probably there to make it easier for one remote security guy to monitor many locations after hours. They can be alerted when a door opens, has been ajar for a while and along with a camera, see what's going on. Other than that, you also want a lock to help keep the door closed to help keep climate control working efficiently, keep animals out, etc. Like I had been alluding to, when you rent a unit, you're told that you are responsible for locking your own unit with a specific, harder, lock, like a front door lock. If an attacker can get by this lock, entrance to the premises would have been possible as well.
On that note, I don't think the absence of a super strong lock on the front door of a storage place invites criminals. I live near open air storage facilities where anyone can just walk up to the units, like they're walking by cars on the street or in a parking lot. Thefts from storage units are just not big enough of an issue to require additional measures.
dissuading the least motivated perpetrators, ability to add a "breaking and entering" charge perhaps?
Probably worth noting that using another PIN like that to enter a storage facility is almost certainly a breach of terms of use. Such that, if you did anything in there that is not ok with everyone, they have easy legal recourse against you.
Probably limited to termination of your rental.
Would depend what else you did, I presume? I also just meant this as an "in addition" to the idea that it isn't aiming for fool proof protection.
"You need to choose an access PIN."
"How about (digits)?"
"You can't use that one. Someone else has already chosen that."
"Wait, now I know someone else's PIN code. I could use that and it'd be logged under their name."
My mini storage place issued me a code that was just the number of my box and the year I was born. Knowing this, I could probably brute force someone else’s code in 30 seconds.
I'm sure they have cameras that could trace things back to you.
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
This reminds me of when I was in HS. There was a auto car wash that would print a number on a receipt for one to enter and get a carwash with. One day for whatever reason I just punched in 12 random numbers and it worked. And thats how I got free car washes all through high school...
> in most cases you don't need to search anywhere near that many
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
Yes! Back in the 1980s when long distance telephone was a thing, I used to dial (301) 737-2051 followed by a 5 digit pin to get access to a service that the let me enter a long distance call. It only took about 20-30 manual attempts for me to guess a valid 5 digit PIN! I'd just increment my guesses by 1 each time.
And even if the number is randomly generated, many devices accept any string of digits that end with the correct four digits. Pressing "12345" actually tests both codes "1234" and "2345".
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
Yes, there's some solid theory behind it:
https://en.wikipedia.org/wiki/De_Bruijn_sequence
It seems that you can do it in 10003 key presses. Calculation for this this exact example is in the Wikipedia page.
Also true of those old "lockbox" key lockers that real estate agents use to "protect" the keys to your house.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
So the system allowed multiple users to chose their own Pin and didn’t ask for a user ID when authenticating? That’s just stupid design.
“What’s the password?”
“Which password?”
“Any password.”
“Hunter2”
“Welcome!”
Why did you put just asterisks?
In my case I see just #######
This is an asterisk
*
As a memory rule, astrisk looks like a star, asteriskos means ”little star” in greek and is related to asterology.
I think what's happened here is that you didn't get the joke. https://knowyourmeme.com/memes/hunter2
I did not get that, lol
To be fair that was decades ago. The mini-storage place I use now asks for your unit # AND your PIN. So it would be a lot harder to guess like described above.
Is it? it is just a gate
Well we just got told how someone who forgot their pin managed to get in, so it probably doesn’t work. I would call that stupid.
Depends what is inside.
Every security mechanism is breakable with enough budget
What is "5150" well known for?
In my GenX brain, a Van Halen album* comes to mind.
* https://www.youtube.com/watch?v=OFxg1nB9yQ8
This being HN, my mind went immediately to the IBM 5150...
https://en.wikipedia.org/wiki/IBM_5150
This being HN, there's only a few of us left.
It's apparently the California law section number for restraining a mentally unwell person or something, so has law enforcement and slang usage, and there's a 1986 chart-topping song named after it. (I'd never heard of it either, but I'm not Californian.)
I had the same question. It is the title of a Van Halen record album, also a section of the California legal code related to mental health, according to a simple search.
One of the best Van Halen albums?
And Eddie’s amp model, the Peavey 5150. It’s become the de-facto standard for the more extreme metal bands.
When Eddie took the rights with him to Fender and they made the EVH 5150 (another fantastic amp), Peavey renamed this line to the 6505 series, so there you have another four-digit code to use.
Well the 5150 was Eddie’s Studio Postal Code, but if we are going down this road :-) I would like to point out at some point in time they run out of Sylvania 6L6 Power Tubes... then Peavey started with Chinese Ruby 6L6 Power Tubes for the EVH5150 and they dont sound the same...
Based on the legal code, around here it's slang for "crazy".
Poster: "I was ripping my dirt bike out in the snow and got pulled over!"
Commenter 1: "What for?"
Commenter 2: "5150."
Barcroft Station in California (elevation 3800 m) has house number 5150 over the door. You'd have to be crazy to want to work there.
This is one of the first results a search provided. I skipped Wikipedia which was first but it was actually informative as well.
https://www.dictionary.com/e/slang/5150/
As a Van Halen fan, I think of it because of the album titled "5150". But it has other well known uses as well.
Color me a bit sad to not see 2112 make the list.
Its the famous law for involuntary mental lockup in California, then referenced a lot in pop culture, probably most notably with a Van Halen album named after it. Its used in a lot of jokes, but also oppressively. I think we've seen some divorce court releases and such on how to "5150 my wife," how cops abuse it, etc.
Around these parts, we call it an "M1 hold"
M1 is - I think - the form they have to fill out to put you on a temporary hold.
https://en.wikipedia.org/wiki/Lanterman%E2%80%93Petris%E2%80...
The biggest job of the front entrance gate at a mini-storage business is to keep random people from loitering in the area, so the cameras(/hypothetical people watching the feeds) have an easier time witnessing a break-in.
That's called a dictionary attack and it's one rung above bruteforcing
Ofc whenever I need a insecure four-digit pin I use 2501 - so people will know me when they meet me again.
> Almost one in 10 people use the same four-digit PIN
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
Beautiful visualisation - I just wish I could hover over the grid and see which PIN my cursor is pointing at.
By counting grid points it looks like codes in the form 0[1-9][32-99] are the least common with a few exceptions (like 0990 or 0987).
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
It's nice but also flawed because you can't easily see if the first two digits are the same. Or the last two digits.
yeah, i too feel limited by our 3 spatial dimensions
It was so frustrating when I was studying mathematics, I feel like just one more dimension would make understanding lots of concepts much easier; for me there is simply not enough points to extrapolate from: 0D is the degenerate case, 1D is trivial, so only two, 2D and 3D, are left to play with. %(
color, fill, texture, shape - that gets you up to 7
doesn't work, those dimensions aren't bijections to the reals
It's up to the designer to deal with any physical limitations.
They could have added grid-lines to reveal this information, for example.
Kind of like GitHub's contribution graph? Which is an awesome little piece of design.
Nice to see 1-2-1-2 listed, the PIN of soundcheck guys everywhere.
I had an Italian sound engineer pal and a Czech one too...
This is a really belated blogspam repost. Original:
http://www.datagenetics.com/blog/september32012/
"blogspam" is a bit harsh - it's based on a different dataset, and if you scroll down they do acknowledge Nick Berry's old analysis.
Discussed several times on HN btw:
Most common PIN codes (2012) - https://news.ycombinator.com/item?id=40359736 - May 2024 (88 comments)
PIN number analysis (2012) - https://news.ycombinator.com/item?id=17670173 - Aug 2018 (72 comments)
Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)
The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)
PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)
PIN number analysis - https://news.ycombinator.com/item?id=5124024 - Jan 2013 (82 comments)
PIN Number Analysis - https://news.ycombinator.com/item?id=4654337 - Oct 2012 (2 comments)
Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)
The new link has some pretty good viz going on, so at lest they put a lot of effort into re-presenting the data.
Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
https://dfboyd.github.io/hw/index.html
A clickable version of the original heatmap
Here's a heat map you can zoom in on:
https://www.reddit.com/r/dataisbeautiful/comments/1cn7l7r/oc...
Also consider this scene from Trainspotting 2: https://www.youtube.com/watch?v=2EQCpQbUrzI :)
The other problem is that people use the same PIN on their smartphones and debit cards, for example, because who can remember multiple PINs?
We've replaced password sharing with PIN sharing.
My two bank apps require a pin for “fast access” rather than a password, it drives me crazy. I have a PW manager, let me use a safe password!
You made me wonder what my smartphone PIN actually is and now I can only access the device with the fingerprint reader. Usually my hands know what PIN to use, but apparently not when the brain gets involved. Guess I have to wait until I forget that I don't know that PIN.
When I need a pin, I use uuidgen and grab the first four decimal digits. (I guess that could potentially include the `4` but it hasn't happened yet and the odds are low.) I guess I'd better screen some of them out!
True story: friend had a bank (in the 1990s) randomly generate a PIN of 2222 for him. He got it reset.
That being said, you usually need the matching gadget/account as well.
Four digit PINs are a fine solution in many contexts.
A bigger problem is always going all in nuclear when it comes to security. If the solution is impossible to use, no one gives a shit about security.
It’s 2025, why are we still protecting our money with 4 digits? Our phones have advanced biometrics, why can’t our cards have that too?
Card issuers need to stop being lazy because they have a monopoly and innovate a bit.
Because you can't change biometrics. What are you going to do, wear gloves so that you have a different fingerprint?
The money is also protected by your financial institution's fraud detection. I've had everything from ATM transactions to store purchases flagged as fraud despite having the correct PIN and the physical card.
It is probably still almost 10%, but we seem to imply that "frequency of a pin within the set of all 4 digit pins" is frequency of the pin amongst the population, but that means we're not counting people who, e.g., use 6 digit pins.
(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)
The fact that my technology-inhibited parents somehow chose one of the lesser used combinations has left me dumbfounded.
For a while I used the first 4 digits from my old zip code. e.g. 2050
popular ones must be better - otherwise why would they be popular?
I think a pin is only supposed to be a second line of defense, like entering your zip code with your credit card. People who use 1234 as an ATM pin think their card prolly won;t get stolen, and if it is, the machines all have cameras so you can see the thief picking his nose.
it seems like my pin of 1077, the same as a cheese pizza and soda at my old job, is still super secure.
0775 seems to be safe too
Would 0600 be even safer then?
yes, but perhaps change ownership too
“So, what do I owe you?”
“$10.77. Same as my PIN number.”
For anything where I can set/reset the PIN with the card already in possession (which is pretty much everything it seems), I just have an algorithm I use based off of the actual card details, so I never have to memorize anything.
Just mix and match two last digits of the year your parents/siblings were born and you’re golden.
Side note; I’m surprised 6969 is not more popular :)
This is a cool visualization! I didn't know ABC did this sort of stuff
Hard not to ack that the common ones are the default values of most locks? Is akin to finding that the default admin password on many databases/servers/etc is not changed by the users?
The post is much better than the clickbaity title suggests.
Loved the visualisation and the fact that 2902/0229 are noticeably lighter than surroundings.
Oh good, my favorite Rush song is still safe.
Actually 2112 is slightly elevated in the other reddit heatmap someone linked that you can zoom in on.
What a beautiful infoviz presentation, esp for a major news site. Good work Julian Fell and Teresa Tan!
This is the same combination I have on my luggage.
My luggage is more secure, it has a 5 at the end.
So this is like Birthday paradox but for PINs.
I'm disappointed I couldn't mouse over the grid to find my PIN and see how popular it is...
I'm flatly amazed "1701" isn't in the top 50.
I’d like to think Trek watchers are smarter than that.
I know people with "8472" as well.
why?
USS Enterprise (NCC-1701), Star Trek reference.
Oh duh, I should've caught that
Only 1 in 10?
Far better to use a six digit pin, like 0-0-0-0-0-0.
Sounds like the Team Fortress 2 "Meet the Spy" PIN
"1-1-1-uh-1!"
The pin isn't the security, your physical card is. Pins are usernames, cards are passwords.
I think that’s exactly opposite. The card is the unique identifier assigned by the bank. We could all share the same PIN.
>The card is the unique identifier assigned by the bank.
The account number is the unique identifier assigned by the bank. Your card is the physical "key" (password) to said account, and the PIN is your self chosen identifier (username).
Think of it this way: I can tell you my pin number and my bank account number all day long, it doesn't matter if you don't have my card. But if you had my card, you'd have a reasonable shot at guessing the PIN and gaining access. The card is the password.
The card is a physical representation of your account number, readable with a magstripe scanner. It's analogous to a username written on a scrap of paper.
Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.
> The card is a physical representation of your account number, readable with a magstripe scanner.
Which is no longer true for EMV cards, though. There, the chip contains some additional data which cannot be easily copied and which helps identify the card as a bona fide real card issued by a bank.
https://www.emv-connection.com/contact-chip-card-online-auth... (there's also some alternative authentication method that would work offline, i.e. just between the card and the payment terminal)
True, but for analogy purposes, it still maps back to a specific account somewhere.
>Despite the misnomer, a PIN can't really be an identifier if you and I have the same one.
Sure it can, the namespace is just within your account.
I am logging into account X (account number) as Person Y (PIN) with authorization Z (card)
Person Y and Person Z on account X could use the same PIN with different cards. A PIN is not an identifier.
Except my wife and I can both have the same PIN, so it's still not a unique identifier.
A PIN is a password, not a username.
Still doesn't make the PIN the username. You can have two passwords. The PIN is closer to the MFA code.
Or more like PIN is that password, and the card is the token.
A more sensible way to break it down is by "something you have" (phone or YubiKey), "something you know" (password) and "something you are" (face or fingerprint).
Username and password are both something you know, so they count as just one factor. A card on the other hand is something you have, so combined with the PIN that's two factors.
My bank has more than 10k customers, despite four digit PINs.
I mixed it up though and did 4-3-2-1
the 18th most popular code, good choice
Could be! We just need to know the median number of tries a system allows before locking you out.
An assailant who doesn’t have access to this dataset may assume 4321 is more common than 18th, as I would’ve, and try it sooner. Not a great choice in that case.
Then it isn't a personal identification number. We should call them PANs, or Personal Authentication Number.
If you'll excuse me, I need to go fight some windmills.
If you want to be pedantic, it really isn't a number at all, it's a string of digits. A lot of "serial numbers" and "material part numbers" are not only not numbers, they're not even all digits.
If we're being pedantic then they ARE numbers, even the ones with letters. They're just not in base10.
Yeh, until your coworker thinks that he should be storing the phone numbers as an int in the database, and the ones in the Pacific northwest keep getting truncated (but only if they include the leading 1).
Numbers might be represented by numerals, but that doesn't mean every string of numerals is a number. If you need to know the difference, ask yourself if you'd ever do math with it, (add to it, subtract from it) if only principle.
Ugh, for anyone reading this, please store your phone numbers as E164. There is no need to re-invent the wheel.
number (noun):
- a figure or group of figures used to identify someone or something (Oxford dictionary)
- a numeral or combination of numerals or other symbols used to identify or designate (Merriam Webster's dictionary)
It identifies your authentication number ;)
So a Personal Authentication Identification Number?
I like that.
P43r, a space-included numeronym[0] pronounced like Paer?
Or just the straight acronym of PAIN?
0. https://en.wikipedia.org/wiki/Numeronym
So can we call it a 'PAN number'?
Only if we use it to access the ATM machine.