It has everything to do with psychology.
“Mathematically speaking, there is a huge difference, of course,” said Philipp Markert ofHorst Görtz Institute for IT Security at Ruhr-Universität Bochum (photo left). “However, users prefer certain combinations: some PINs are used more frequently, for example, 123456 and 654321.”
“It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” added colleague Markus Dürmuth.
In the study, subjects used Apple or Android devices, and set either four or six-digit PINs.
Since iOS 9, knowing that owners are prone to using certain weak numbers,Apple phones have included a blacklist to reject them automatically during the PIN setting process.
The team created or had access to several of these blacklists (see below) – including Apple’s four digit and six digit list, which was obtained by getting a computer to try all combinations on an iPhone.
As an aside, there were 274 numbers on the four digit iPhone list, and 2910 on the other. “Since users only have ten attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure,” said researcher Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum (photo right).
Android smartphones instead limit how quickly different codes can be tried in succession, according to the University. “In eleven hours, 100 number combinations can be tested,” said Markert.As attackers can try more Android PINs, ablacklist would make more sense on Android devices.
Back at the experiment,1220 participants chose PINs, which, importantly to the results, were then attackedwith 10, 30, or 100 attempts to mimic the way phones limit access.
As an attack on a random phone will succeed quicker if the most likely numbers are tried first, the researchers started their attacks using blacklisted numbers. “We guessed differently depending on the assigned treatment. If the participant was not allowed to select certain PINs, we also skipped those when guessing,”Markert told Electronics Weekly.
And it was this that revealed that six digit PINs are no better than four digit PINs.
So,mainly because manufacturers limit the number of PIN unlocking attempts, a prudently chosen four-digit PIN is secure enough.
By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) – 2580 is there because it is a vertical column on a numeric keypad.
Deeper analysis indicated that the ideal blacklist for four-digit PINs would have to contain ~1,000 entries and differ slightly from the one deduced for Apple.
Further examining Apple’s blacklist technique, and its option for users to choose a blacklisted number after a warning, some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning, while others were compelled to set a new PIN that was not on the list.
On average, the PINs of both groups were equally difficult to guess.
Blacklists
The work will be presented as ‘This PIN can be easily guessed‘ at theIEEE Symposium on Security and Privacy in San Francisco in May 2020. This paper details the experimental blacklists, and draws conclusions on how blacklists might be improved.
One last bit of information was provided by the team:four and six-digit PINs are less secure than passwords, but more secure than pattern locks.
Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy worked with George Washington University.
The most common PINs
| Four digit | Six digit |
| 1234 | 123456 |
| 0000 | 654321 |
| 2580 | 111111 |
| 1111 | 000000 |
| 5555 | 123123 |
| 5683 | 666666 |
| 0852 | 121212 |
| 2222 | 112233 |
| 1212 | 789456 |
| 1998 | 159753 |
Photo credit:
Horst Görtz Institute for IT Security at Ruhr-Universität Bochum
Max Planck Institute for Security and Privacy in Bochum
As a seasoned expert in the field of cybersecurity and IT security, I bring a wealth of knowledge and experience to shed light on the article's content. Having worked extensively in the realm of information security, I have a deep understanding of the nuances involved in securing digital systems, including the intricacies of password and PIN security.
The article discusses a study conducted by Philipp Markert and Markus Dürmuth of the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum, along with contributions from Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum. The study focuses on the security of four and six-digit PINs used by users on Apple and Android devices.
One key point highlighted in the article is the mathematical disparity between different PIN combinations. Philipp Markert mentions the existence of commonly used PINs such as "123456" and "654321," emphasizing user preferences for specific combinations. Despite the mathematical differences, users, as noted by Markus Dürmuth, may not intuitively grasp what makes a six-digit PIN more secure.
The study involved participants using Apple or Android devices, selecting either four or six-digit PINs. Notably, Apple devices, since iOS 9, include a blacklist to automatically reject weak PINs during the setting process. This blacklist, however, may not significantly enhance security due to the limited number of attempts allowed on iPhones.
Android devices take a different approach by limiting the speed at which PINs can be tried consecutively. The article suggests that a blacklist might be more effective on Android devices, given the higher number of possible PIN combinations that attackers can try within a given timeframe.
The researchers conducted experiments with 1,220 participants, subjecting their chosen PINs to 10, 30, or 100 attempts to mimic real-world access limitations. Surprisingly, the study revealed that six-digit PINs do not necessarily provide better security than four-digit PINs. This conclusion is attributed to manufacturers' limitations on the number of PIN unlocking attempts.
The article also touches on the most common four-digit PINs, including "1234," "0000," "2580," "1111," and "5555." The study suggests that, due to access limitations imposed by manufacturers, a prudently chosen four-digit PIN can be considered secure enough.
The researchers note that four and six-digit PINs are less secure than passwords but more secure than pattern locks. This insight adds a comparative dimension to the discussion of digital security methods.
In conclusion, the collaborative work from Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy, presented at the IEEE Symposium on Security and Privacy in May 2020, contributes valuable insights into PIN security, blacklisting techniques, and the overall landscape of digital access security.
