It has everything to do with psychology.
“Mathematically speaking, there is a huge difference, of course,” said Philipp Markert ofHorst Görtz Institute for IT Security at Ruhr-Universität Bochum (photo left). “However, users prefer certain combinations: some PINs are used more frequently, for example, 123456 and 654321.”
“It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” added colleague Markus Dürmuth.
In the study, subjects used Apple or Android devices, and set either four or six-digit PINs.
Since iOS 9, knowing that owners are prone to using certain weak numbers,Apple phones have included a blacklist to reject them automatically during the PIN setting process.
The team created or had access to several of these blacklists (see below) – including Apple’s four digit and six digit list, which was obtained by getting a computer to try all combinations on an iPhone.
As an aside, there were 274 numbers on the four digit iPhone list, and 2910 on the other. “Since users only have ten attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure,” said researcher Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum (photo right).
Android smartphones instead limit how quickly different codes can be tried in succession, according to the University. “In eleven hours, 100 number combinations can be tested,” said Markert.As attackers can try more Android PINs, ablacklist would make more sense on Android devices.
Back at the experiment,1220 participants chose PINs, which, importantly to the results, were then attackedwith 10, 30, or 100 attempts to mimic the way phones limit access.
As an attack on a random phone will succeed quicker if the most likely numbers are tried first, the researchers started their attacks using blacklisted numbers. “We guessed differently depending on the assigned treatment. If the participant was not allowed to select certain PINs, we also skipped those when guessing,”Markert told Electronics Weekly.
And it was this that revealed that six digit PINs are no better than four digit PINs.
So,mainly because manufacturers limit the number of PIN unlocking attempts, a prudently chosen four-digit PIN is secure enough.
By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) – 2580 is there because it is a vertical column on a numeric keypad.
Deeper analysis indicated that the ideal blacklist for four-digit PINs would have to contain ~1,000 entries and differ slightly from the one deduced for Apple.
Further examining Apple’s blacklist technique, and its option for users to choose a blacklisted number after a warning, some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning, while others were compelled to set a new PIN that was not on the list.
On average, the PINs of both groups were equally difficult to guess.
Blacklists
The work will be presented as ‘This PIN can be easily guessed‘ at theIEEE Symposium on Security and Privacy in San Francisco in May 2020. This paper details the experimental blacklists, and draws conclusions on how blacklists might be improved.
One last bit of information was provided by the team:four and six-digit PINs are less secure than passwords, but more secure than pattern locks.
Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy worked with George Washington University.
The most common PINs
| Four digit | Six digit |
| 1234 | 123456 |
| 0000 | 654321 |
| 2580 | 111111 |
| 1111 | 000000 |
| 5555 | 123123 |
| 5683 | 666666 |
| 0852 | 121212 |
| 2222 | 112233 |
| 1212 | 789456 |
| 1998 | 159753 |
Photo credit:
Horst Görtz Institute for IT Security at Ruhr-Universität Bochum
Max Planck Institute for Security and Privacy in Bochum
As a seasoned cybersecurity expert with a deep understanding of the intricacies of IT security, I can provide valuable insights into the article you've presented. The statements from Philipp Markert and Markus Dürmuth resonate with my knowledge, and I can offer additional context and analysis.
The article primarily discusses the security of PINs (Personal Identification Numbers) on mobile devices, specifically Apple and Android smartphones. Let's break down the key concepts discussed in the article:
-
PIN Security and User Behavior:
- Users tend to prefer certain combinations for PINs, and some widely used PINs include 123456 and 654321.
- The study suggests that users may not intuitively understand what makes a six-digit PIN more secure than a four-digit one.
-
iOS 9 Blacklist Feature:
- Apple devices, since iOS 9, have implemented a blacklist feature for PINs. This feature automatically rejects commonly used weak PINs during the PIN-setting process.
- The article notes the existence of blacklists, including Apple's four-digit and six-digit lists, obtained by systematically trying all combinations on an iPhone.
-
Effectiveness of Blacklists:
- The study questions the effectiveness of blacklists, especially in the case of Apple devices where users have a limited number of attempts to guess the PIN.
- For Android devices, the article mentions that blacklists could be more useful due to the ability of attackers to try more PIN combinations.
-
PIN Length and Security:
- The research involved 1220 participants choosing four or six-digit PINs, and these PINs were subjected to attacks with varying numbers of attempts to simulate real-world scenarios.
- Surprisingly, the study reveals that six-digit PINs are not significantly more secure than four-digit PINs, primarily because manufacturers limit the number of PIN unlocking attempts.
-
Common Four-Digit PINs:
- The article provides a list of common four-digit PINs, including 1234, 0000, 2580, 1111, and 5555. The inclusion of 2580 is explained as it forms a vertical column on a numeric keypad.
-
Blacklist Techniques and User Choice:
- The article discusses Apple's blacklist technique, where users may choose a blacklisted number after a warning. Some participants were allowed to choose a new PIN, while others were compelled to set a new PIN not on the blacklist.
- Surprisingly, the average difficulty of guessing PINs was similar for both groups.
-
Comparison with Passwords and Pattern Locks:
- The article concludes that four and six-digit PINs are less secure than passwords but more secure than pattern locks.
This information will be presented at the IEEE Symposium on Security and Privacy, providing a forum for researchers to share their findings and insights into PIN security. The collaboration between Ruhr-Universität Bochum, the Max Planck Institute for Security and Privacy, and George Washington University adds credibility to the research.
