from Hacker News

PIN number analysis (2012)

by worez on 8/2/18, 9:10 AM with 72 comments

  • by taneq on 8/3/18, 4:24 AM

    > … it’s staggering how popular this password appears to be. Utterly staggering at the lack of imagination …

    It's also staggering how often a system requires a passcode but the operator's of the system don't want to use one, or the system needs to be provided with a known passcode so the client can log into it for the first time.

    Often, also, passcodes serve as courtesy locks, where the intention isn't to make it impossible to gain access (far from it, often on industrial systems you might need night shift to be able to get in and change settings in an emergency) but to signal to an operator that they're entering an area of the program where they shouldn't touch anything without explicit instructions.

    In either of these cases, an easily guessable (I'd go so far as to say 'standard') PIN strikes the right balance between no security at all, and actually keeping out people who might need access.

  • by sdinsn on 8/3/18, 3:40 AM

    > All the usual suspects occur, but a new addition is the puerile addition in position #20 of the concatenation of 420 and 69.

    Neat

  • by jamies888888 on 8/3/18, 9:31 AM

  • by ikeboy on 8/3/18, 11:31 AM

    Given that these are pulled from breaches, it's very likely these are from fake accounts that used a simple password to create many accounts using bots.

    Would be interesting to look at the email addresses associated and see if you can see a pattern and maybe filter those out.

  • by slavik81 on 8/3/18, 8:22 AM

    Aside from the top two passwords (~17%), the distribution is not so bad. The next five passwords are only 5% of the distribution, which is much more reasonable. With 10^4 possible combinations, these obviously weren't designed to prevent a brute-force attack on their own. For example, with bank accounts the bank card provides a second factor and access attempts are monitored.

    There's also little point in hashing a 4-digit PIN. If the PINs were perfectly distributed, it would only take an average of 5,000 guesses to find the original PIN given the hash. Of course, this analysis has shown that they're anything but perfectly distributed; a quarter of them would take less than 20 tries.

  • by nodesocket on 8/3/18, 7:02 AM

    Reminds me of Spaceballs.

    "The combination is 1...2...3...4...5..."

    "That's the stupidest combination I ever heard in my life... That's the kind of thing an idiot would have on his luggage."

  • by emilfihlman on 8/3/18, 11:45 AM

    >I’m not going to sell, donate or release the source data – don’t ask!

    This is absolutely stupid. You can reverse the dataset almost completely from the provided data (images and fixed points).

    FFS it's only a two column spreadsheet with columns "pin" and "count"/"frequency". It has no additional security implications after the release of this article.

  • by dyu on 8/3/18, 8:54 AM

    If you are interested in this sort of analysis, I recommend reading into works by Joseph Bonneau: http://jbonneau.com/publications.html
  • by lixtra on 8/3/18, 7:01 AM

    > Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.

    Only if they know you’re a geek. The above fact won’t reach John Doe and influence his PIN choice.

  • by hw on 8/3/18, 7:19 AM

    I'm surprised that 1004 is that high up. I doubt it merely has to do with the Korean significance, unless the data source is heavily skewed towards PIN usage by Koreans.
  • by foota on 8/3/18, 5:05 AM

    Interesting that more aren't year based.
  • by paulpauper on 8/3/18, 8:51 AM

    there's a story that one way Feynman could break locks was by guessing 2718 and 3141
  • by shawabawa3 on 8/3/18, 9:15 AM

    I'm surprised 8086 is the least common PIN, as it's significant in computing[1]. Maybe the dataset just didn't have many programmers in it

      [1] https://en.wikipedia.org/wiki/X86
  • by joekrill on 8/3/18, 1:39 PM

    Don't some banks allow 6 digit PINs?
  • by nerdwaller on 8/2/18, 2:10 PM

    I’m surprised to not see 2580 in the top 20, given that’s straight down the center and all unique items.
  • by Markoff on 8/4/18, 5:43 AM

    that last XKCD it's completely useless since many of services require upper and lower case letter, digit and symbol
  • by just_observing on 8/2/18, 2:49 PM

    It's a PIN

    It's not a PIN number

    You can't have a Personal Identification Number Number

    I get that it's what people say, but that doesn't make it right.

    /rant

  • by hyperpallium on 8/3/18, 7:05 AM

    PIN identification number
  • by mrmondo on 8/3/18, 9:58 AM

    Am I the only one that gets annoyed by the use of 'PIN Number' which is 'Personal Identification Number Number'? It annoys the !@#%$ out of me!
  • by jwilk on 8/3/18, 9:32 AM

    (2012)
  • by f2f on 8/3/18, 3:15 AM

    Was the analysis performed at the Department of Redundancy dept?
  • by mrweasel on 8/3/18, 6:19 AM

    This is completely avoidable, you simply don't allow people to pick their own PIN. Banks don't allow you to pick your credit/debit card PIN, and I would assume that this is precisely one of the reasons why.