Wednesday, May 30, 2012

Analyzing PIN codes

[ A load of PIN codes visualized ]
You can click the image above to see it full size. It is a heatmap generated by us (@KluZz and myself), and the data are 4-digit PINs extracted from a physical access control system. According to the system operators, more than 50% of the PINs are believed to be selected by the users themselves, while the remaining ones are randomly generated by the system when a new 'user' is created and physical card is issued. The complete data set includes PINs for guest visitor cards etc.

According to Norwegian privacy laws, we didn't request and didn't get any ownership information on each PIN, so they cannot be traced back to individual users.

Now you may ask why did we do this?

1. A birthday present every eleven wallets? The security of customer-chosen banking PINs (PDF)
A paper by Joseph Bonneau, Soren Preibusch & Ross Anderson at Cambridge University. Amazing work, and we fell in love with the heatmap on page 6. But please; do read the entire paper, and visit their blog!

I called my friend & colleague Jan Fredrik (KluZz) from my car, on my way to get my daughter at kindergarten. I told him about the paper & their findings, and told him I wanted to do something similar. Of course with better data, which to us means data where we know the origin. We know that it is live data from a live system in daily use, instead of depending on randomly collected data or questionnaires etc.

Now KluZz is a rare creature - in a very positive way. Any programming challenge I throw at him, he solves it before going to bed - although it can get pretty late. :-) So the morning after, I got what I requested. You will probably get access to it too, pretty soon. Code version 2 - release candidate - is in the works.

2. this lifehacker article
Based on information from the above paper. There is also more text + video available at mashable, and John Markoff has a story at the New York Times blog.

At least to me, a PIN code is a password. A pretty simple one in fact. I kind of enjoy the moments where someone comes up to me and says: "we're using 2-factor authentication with solution XYZ, and I bet you cannot beat that, can you? hah!". I guess chances are high we're talking RSA SecurID hardware tokens, with user-selected 4-digit pins to go with the OTP and the username, which is easily found in many cases. Essentially they are dropping the good old password and replaces it with a really bad one (4-digit pin, no complexity requirements or frequent forced change). Although the attack doesn't scale - you need to collect hardware tokens - a few will probably be enough. Lets say that eleven will do (see above paper title). :-)

3. True or false?
I must admit - we do tend to disagree not only with each others, but with everyone else as well. At least until we see more proof of any claims made. Compare our heatmap to those provided in the paper from Cambridge. It seems as if we have pretty equal patterns, yes? :-)


Its past midnight - again - time to go to bed. More to come, and watch our recording of Howard Smith (Oracle, UK), "Take the cucumbers! An analysis of user selected PIN numbers" at Passwords^10 (509MB, MP4 format).


  1. Thank you for interesting thoughts, and a great mashup, on weaknesses of user chosen passwords/PINs (low entropy).

    One question, since you wrote "no complexity requirements or /frequent forced change/" :-) Do you really recommend frequent forced password changes? I have trouble understanding the security benefits of such practices; my assumption has been that /in most situations/, the major damages will be inflicted by the attacker immediately after an account is compromised, the supplemental damage from an attacker's long term use of the account will be of far less importance. (YMMV, though)

    And thanks also for your recommendation of the blog at Their latest post (June 6th) questions the severity of the Linkedin leak. That's a refreshing view, and their arguments seem valid.

  2. Jon B:
    No, I do not recommend frequent password changes, at least not forced. I've been thinking, discussing and experimenting with risk/benefit etc of frequent password changes for a few years.... Sooner or later there will be a blog post from me on the subject "Do we need to change our password?".. or something.

    Joseph Bonneau and his colleagues at Cambridge absolutely have valid arguments! Go back to the incidents of Stratfor & HBGary (and others). Look for evidence of real economic loss for them and/or their customers.

    Embarrassing incidents? YES. Documented economic loss and/or share price drop? NO. Documented losses for any of their customers? Well, there's ID theft insurance available after you get pwnd, at least in some countries...

  3. Thanks Per. Very interesting... Every eleven wallets. Shocking.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.