Friday, April 26, 2013

Cryptonerds PINs

I'm at Finse1222, attending the annual FRISC Winter School 2013. I did an evening talk (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts  on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.

Based on questions and some extra interest from Andrey Bogdanov and Sondre Rønjom, the three of us decided to do a little experiment. Here are the results. :-)

First of all, look at page 8 (PIN heatmaps) from my tuesday evening talk (link above). I gave a short description of that slide, referring to the findings of Joseph Bonneau, University of Cambridge. I highlighted the lower left block, the vertical line of years (19xx) and the 0000-1111-2222....9999 line.

Then take a look at the slides we presented yesterday (PDF, Dropbox). The initial cover page, then our request for the audience (26 people) to write down the following:

  1. One 4-digit PIN that you think you will easily remember on Friday afternoon
  2. One RANDOM 4-digit PIN
  3. One 7-digit PIN that you think you will easily remember on Friday afternoon
Questions on tuesday evening from Andrey & Sondre were specific to the obvious "block patterns" in the heatmaps from Bonneau. Even though I didn't provide an explanation for those, they are observed and explained in the post over at Datagenetics, which I refer to later in our presentation.

I discussed with Andrey & Sondre in advance, and we ended up with asking for the 3 PIN codes as listed above. Andrey was curious about the possible differences between memorable & "random" 4-digit PINs, while I wanted the 7-digit PIN for other reasons:

Association elements of passwords & PINs:

Back in 2010, at Passwords^10 in Bergen, we had Howard Smith, "chief hacking officer" at Oracle (UK) talking about user-selected PIN codes. You can see a recording of his talk on Youtube here. In his talk he talks about PIN codes longer than 4 digits, mentioning stuff like memorability and association elements used to remember longer PINs.

Now the association element part is what triggered my interest in asking for a 7-digit PIN. Back in 2012 I was invited to be co-author on the paper "Cracking Associative Passwords" from associate Professor Kirsi Helkala. She presented that paper at Passwords^12, online video recording & PDF through our media archive.

Perhaps the most interesting finding from her research was the use of color words as an associative element, which Jeremi Gosney helped me verify, and Tom K. Tørrissen visualized using infographics. Pretty cool finding imho.

So I've had discussions with friends on PIN codes that would be easy to remember. In general, 4, 6 and 8 digit PINs can easily be associated with birthdates, christmas and similar date constructions. For Norwegians all mobile and landline telephone numbers are 8 digits. 11 digits could be our Social Security Numbers (SSN), which most people remember since it is used as our username for several public services.

The obvious question came to mind: "What kind of PIN codes would users select if we ask for 5, 7, 9 or 10 digits?". More of a psychological experiment than a real-world scenario, I thought it could be interesting to use this opportunity to give it a shot. So we did. In order not to completely overwhelm the poor crypto researchers with advanced memory tasks, we settled on asking for 3 PINs, with a memorable 7-digit PIN as the longest one.

Findings from our little experiment - part 1

Andrey Bogdanov made the following statistics, based on the collected data:

1, 2 & 7 seems especially easy to remember, while 6 is not.

3 & 9 are very 'random' digits, while 0 isn't considered a random number by crypto researchers?

Just like the 4-digit memorable PINS, digits 1 & 2 seems easy to remember, while 6 is not.


Using a custom built tool by my friend Jan Fredrik Leversund (@kluzz), I ran the collected data to create heatmaps similar to those created by Joseph Bonneau ++ as well. Maybe not that useful with only 26 participants, but the difference between memorable 4-digit PINs and "random" 4-digit PINs is interesting. The heatmaps have the first digits on the horizontal axis, and the last (two) digits on the vertical axis, just like Bonneau et al did in their papers & presentations.

Heatmapping 26 4-digit user-selected memorable PIN codes.

Heatmapping 26 4-digit user-selected random PIN codes. No doubt people fled the lower-left block of PINs!

Heatmapping 26 7-digit user-selected memorable PIN codes.
To me personally I am very curious about the distribution observed for the 7-digit PINs. One user told me he just padded a 4-digit PIN, I have yet to ask other participants if they can remember it, and how they constructed their 7-digit PINs. Tomorrow morning, Friday, I'll ask people if they can remember their selected PINs. Will eventually update this blog post then. Source data may also be made available, but I will also try to repeat this exercise with other audiences, perhaps also expand it to include 5, 9 and 10-digit PINs.

Psychology is fun.

A big thank you to Andrey Bogdanov, Sondre Rønjom, Joseph Bonneau (and colleagues at Cambridge), Kirsi Helkala, Jan Fredrik Leversund, Datagenetics, Daniel Amitay, Matt Weir, Jeremi Gosney, Tom Tørrissen and probably others I can't remember right now for inspiration, tools, help & visualizations. 

Would really love to expand this simple experiment into something bigger and more scientifically correct research.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.