The four digit PIN is a common part of our everyday life. From door codes to ATMs to cell phones, some of us use a four digit PIN daily. Although it sounds a bit counter intuitive, using only three unique numbers in your PIN instead of four different numbers will your make your PIN more secure. In other words, a PIN like 3963 is more secure than one like 1872.
Most PINs tend to be four digits and have options from ten characters (0-9). The brute force strength of this is 10,000 different combinations (104=10,000). This is probably sufficient to ward off a manual brute force attack. The fact that most ATM card skimmers include PIN loggers seems to bear this out.
It’s pretty common knowledge, however, that straight brute force is often unnecessary. Residue and oils on your fingers will leave traces. Just a tilt to the light will often tell the attacker exactly what digits are used in your PIN and sometimes the PIN is used so often that light is not even necessary.
When an attacker knows that there are only four digits and four places their brute force attack drops from 10,000 to 24 (From 104 to 4! or 4x3x2x1). This drops even further with the likelihood that a specific pattern was probably used for easier recall. Take a look at the following two pictures and remember to keep your cell phones clean.
The PIN to unlock this cell phone is probably a pattern like 2546 or the opposite 6452.
It is likely that the PIN above is an easy to remember date like 1968 or 1986
(photo from Schneier on Security)
So what happens when you use only three numbers in a four digit PIN? The straight brute force strength remains the same at 10,000, but what about in the case of information leakage when there are smudges or worn keys?
Only three smudges this time. So what’s the PIN?
Since the attacker only knows three digits they are not sure which of the three is repeated or in which place it is repeated. While number patterns might help here (dates like 1990 & 2001 for instance) place patterns will always be an unhelpful triangle. In addition they can no longer calculate a straight factorial function of four (4!=24) to figure out how many different patterns are possible. The attacker has to calculate each string that could contain a single duplicate of the original three numbers.
If all possible permutations of four known numbers in a four digit PIN is 24, then the number of permutations where one number is repeated reduces that by half (4x3x1x1) or twelve. The attacker is not sure which of the three digits is repeated so they will have to try those 12 permutations three time, one for each known number. This means they now have 36 permutations to go through; 50% stronger than a PIN using four numbers.
The same does not work for a PIN using only two numbers. A quick calculation shows that even exponentially 24
is only 16 permutations. If you subtract 1111 and 2222 you are left with 14 permutations that have at least one of each character.
This makes three the sweet spot for slightly more secure four place PIN. It stands up as well as a four character PIN to straight brute force and is more secure under information leakage such as smudges and wear and tear.
It is a little bittersweet to discover that this ground has already been covered, but kudos to Presh Talwalkar. His article from Jan 2011
has much better math than mine.
This post seems to be getting a little traction, so let me be clear that whether we’re talking about 12, 24, or 36 permutations the difference between them is pretty trivial for anyone with focus. Moving to a 6 or 8 digit PIN would be an improvement across the board.