by worez on 8/2/18, 9:10 AM with 72 comments
by taneq on 8/3/18, 4:24 AM
It's also staggering how often a system requires a passcode but the operator's of the system don't want to use one, or the system needs to be provided with a known passcode so the client can log into it for the first time.
Often, also, passcodes serve as courtesy locks, where the intention isn't to make it impossible to gain access (far from it, often on industrial systems you might need night shift to be able to get in and change settings in an emergency) but to signal to an operator that they're entering an area of the program where they shouldn't touch anything without explicit instructions.
In either of these cases, an easily guessable (I'd go so far as to say 'standard') PIN strikes the right balance between no security at all, and actually keeping out people who might need access.
by sdinsn on 8/3/18, 3:40 AM
Neat
by jamies888888 on 8/3/18, 9:31 AM
by ikeboy on 8/3/18, 11:31 AM
Would be interesting to look at the email addresses associated and see if you can see a pattern and maybe filter those out.
by slavik81 on 8/3/18, 8:22 AM
There's also little point in hashing a 4-digit PIN. If the PINs were perfectly distributed, it would only take an average of 5,000 guesses to find the original PIN given the hash. Of course, this analysis has shown that they're anything but perfectly distributed; a quarter of them would take less than 20 tries.
by nodesocket on 8/3/18, 7:02 AM
"The combination is 1...2...3...4...5..."
"That's the stupidest combination I ever heard in my life... That's the kind of thing an idiot would have on his luggage."
by emilfihlman on 8/3/18, 11:45 AM
This is absolutely stupid. You can reverse the dataset almost completely from the provided data (images and fixed points).
FFS it's only a two column spreadsheet with columns "pin" and "count"/"frequency". It has no additional security implications after the release of this article.
by dyu on 8/3/18, 8:54 AM
by lixtra on 8/3/18, 7:01 AM
Only if they know you’re a geek. The above fact won’t reach John Doe and influence his PIN choice.
by hw on 8/3/18, 7:19 AM
by foota on 8/3/18, 5:05 AM
by paulpauper on 8/3/18, 8:51 AM
by shawabawa3 on 8/3/18, 9:15 AM
[1] https://en.wikipedia.org/wiki/X86
by joekrill on 8/3/18, 1:39 PM
by nerdwaller on 8/2/18, 2:10 PM
by Markoff on 8/4/18, 5:43 AM
by just_observing on 8/2/18, 2:49 PM
It's not a PIN number
You can't have a Personal Identification Number Number
I get that it's what people say, but that doesn't make it right.
/rant
by hyperpallium on 8/3/18, 7:05 AM
by mrmondo on 8/3/18, 9:58 AM
by jwilk on 8/3/18, 9:32 AM
by f2f on 8/3/18, 3:15 AM
by mrweasel on 8/3/18, 6:19 AM