When it comes to computer security, randomness is our friend.
Our system of four-digit personal identification numbers, or PINs, is designed to use the 10,000 different four-digit codes available on a 0-9 keypad to make it close to impossible for thieves to guess what we’ve chosen.
Too bad, data mining consultant Nick Berry points out, people exhibit “a staggering lack of imagination in selecting codes” protecting their most sensitive financial information.
In a recent post on his company’s blog, Berry, president of Data Genetics, presented evidence that 1234, the most commonly used PIN, is chosen nearly 11 percent of the time. The rest of the 20 top PIN choices were equally predictable, running from 0000 at No. 2 through 6969 (No. 10) to 1010 at No. 20.
Berry came up with his statistics by looking around the Internet for numeric passwords that had been exposed and left as trophies by hackers, then selected the four-digit codes. He ended up with 3.4 million entries in his PIN database. Drawing from studies that show that people use the same four digits in several places, he’s confident his password list can be applied to ATMs.
Together, these fairly obvious top 20 PINs make up just shy of 27 percent of all PINs. Statistically, this means that thieves could crack more than 10 percent of four-digit passwords by guessing 1234. You could get 20 percent with just 20 numbers, and 50 percent with 426 numbers.
If we selected our codes completely randomly, each PIN would be represented just .02 percent of the time.
A spike around the code 1972 also showed Berry that people frequently use their birth-years in their passwords. “It’s easy to remember, but also easy to guess,” he said, particularly if you lose your wallet. With your bank card and your driver’s license, a malefactor has “both the card and the key to the code,” says Berry.
The upside of this that more random numbers are even more secure. In Berry’s chart below, the red line show how the distribution of passwords would track if they were randomly selected, and the blue curve shows how the actual distribution is skewed. “All the uncommon passwords on the right of the graph have a probability less than random theory would suggest,” Berry said.
If the top 20 is filled with the most maddeningly unimaginative numbers, the next 20 show the hive mind’s fun side: “2001 makes an appearance at #19,” Berry wrote on his blog. “1984 follows not far behind in position #26, and James Bond fans may be interested to know 0007 is found between the two of them in position #23.”
At No. 22 is 2580, whose popularity mystified Berry until he realized that these four run north to south in the middle of the keypad.
What’s the least common variation? Clocking in at No. 10,000 is 8068. Despite its rarity, Berry doesn’t recommend choosing it. “Please don’t go out and change yours to this! Hackers can read too!”
How easy would it be for a thief to guess your password on your banking website or four-digit PIN that you use at your ATM?