An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.<p>Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care <i>which one</i> you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.<p>Now granted, this is different than trying to brute force <i>a specific person's</i> PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
> Almost one in 10 people use the same four-digit PIN<p>I can't think of the PIN 1234 without immediately thinking of Dark Helmet:<p>"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" <a href="https://www.youtube.com/watch?v=7rSmMm-7SVA" rel="nofollow">https://www.youtube.com/watch?v=7rSmMm-7SVA</a>
This is a really belated blogspam repost. Original:<p><a href="http://www.datagenetics.com/blog/september32012/" rel="nofollow">http://www.datagenetics.com/blog/september32012/</a>
Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
The other problem is that people use the same PIN on their smartphones and debit cards, for example, because who can remember multiple PINs?<p>We've replaced password sharing with PIN sharing.
Here's a heat map you can zoom in on:<p><a href="https://www.reddit.com/r/dataisbeautiful/comments/1cn7l7r/oc_most_common_4_digit_pin_numbers_from_an/" rel="nofollow">https://www.reddit.com/r/dataisbeautiful/comments/1cn7l7r/oc...</a><p>Also consider this scene from Trainspotting 2: <a href="https://www.youtube.com/watch?v=2EQCpQbUrzI" rel="nofollow">https://www.youtube.com/watch?v=2EQCpQbUrzI</a> :)
When I need a pin, I use uuidgen and grab the first four decimal digits. (I guess that could potentially include the `4` but it hasn't happened yet and the odds are low.) I guess I'd better screen some of them out!<p>True story: friend had a bank (in the 1990s) randomly generate a PIN of 2222 for him. He got it reset.
That being said, you usually need the matching gadget/account as well.<p>Four digit PINs are a fine solution in many contexts.<p>A bigger problem is always going all in nuclear when it comes to security. If the solution is impossible to use, no one gives a shit about security.
It’s 2025, why are we still protecting our money with 4 digits? Our phones have advanced biometrics, why can’t our cards have that too?<p>Card issuers need to stop being lazy because they have a monopoly and innovate a bit.
It is probably still almost 10%, but we seem to imply that "frequency of a pin within the set of all 4 digit pins" is frequency of the pin amongst the population, but that means we're not counting people who, e.g., use 6 digit pins.<p>(Or I suppose that just reinforces the point: most people are setting first 2 digits of the 6 digit pin to "00", essentially, although now I wonder if a phone accepts 001234 and 1234 as equivalent. Is it a string, or an int? I'd presume the former…)
I think a pin is only supposed to be a second line of defense, like entering your zip code with your credit card. People who use 1234 as an ATM pin think their card prolly won;t get stolen, and if it is, the machines all have cameras so you can see the thief picking his nose.
For anything where I can set/reset the PIN with the card already in possession (which is pretty much everything it seems), I just have an algorithm I use based off of the actual card details, so I never have to memorize anything.
<a href="https://dfboyd.github.io/hw/index.html" rel="nofollow">https://dfboyd.github.io/hw/index.html</a><p>A clickable version of the original heatmap
Hard not to ack that the common ones are the default values of most locks? Is akin to finding that the default admin password on many databases/servers/etc is not changed by the users?
Just mix and match two last digits of the year your parents/siblings were born and you’re golden.<p>Side note; I’m surprised 6969 is not more popular :)
The post is much better than the clickbaity title suggests.<p>Loved the visualisation and the fact that 2902/0229 are noticeably lighter than surroundings.
Then it isn't a personal <i>identification</i> number. We should call them PANs, or Personal Authentication Number.<p>If you'll excuse me, I need to go fight some windmills.