Why Are We So Bad At Choosing PIN Codes?
nick ioannou
IS & IT pro, Computing’s Top 100 IT Leaders, author & speaker, helping protect organisations & their data
Modern life is full of passwords and PIN codes, and while there is much written on passwords, there is not so much on PIN codes, and yet our smartphones and bank cards still rely on them. The problem, much like passwords, is that we are not very good at choosing PIN codes, and only have a few (or in some cases one) that we use everywhere.
For many people, maths is not a strong point, and while there are 10,000 possible combinations for a 4-digit PIN (0-9999) it certainly doesn’t feel like it when asked to choose a new PIN. Even 6-digit PIN codes which offer a million combinations (0-999999) seem to be restricted to a tiny subset of numbers we know we can remember.
I wonder, is it down to lack of practice and using our memory muscles? Or are just always looking for patterns in numbers to make them easier to remember? Back in the days before smartphones or even mobile phones, we could all easily tell you a handful of phone numbers that we had to regularly call. Multiple 11 digit numbers reeled off with ease, so why are half a dozen 4-digit PIN codes giving us so many problems that some people stick to just 1 or 2 combinations?
Smartphone PIN codes have been available as either 6-digit or 4-digit options for years now and still people stick to the less secure option. Many even go with the incredibly less secure option of their year of birth as their PIN code. In which case they could easily move to a slightly more secure 6-digit one based on their date of birth as day, month, last two digits of year or month and year.
But we have biometrics, like FaceID and TouchID is often the reply I get, which is true, until you restart your phone. At this point everything reverts back to your PIN code, and the default for many smartphones is that after 10 failed attempts, the phone is wiped. If you have ever experienced the trauma of this, you’ll understand why people are reluctant to change their PIN codes.
I’m a big fan of the now defunct Windows phones with their Kids Mode, restricting the apps available (basically a really limited profile) and absolutely zero chance of your child changing your PIN code and then forgetting what they changed it to. For this level of peace of mind, turn on parental controls so that there is another PIN code required to make any System changes. It is also a really bad idea to add your kids' biometrics without any restrictions to your smartphone.
领英推荐
Chip and PIN payments on debit and credit card machines have largely been replaced with contactless payments (though most people still touch the sensor) until that is, when you reach a certain threshold and you are back to entering your 4-digit PIN code for the next transaction.
Using the same PIN for bank cards, smartphones, luggage locks, gym lockers, hotel safes, in fact anywhere that needs a code, is super convenient, for both you and the criminals. Someone shoulder surfing you logging into your phone, or entering your code to make a payment, before pickpocketing you (or worse) could cost you dearly. The criminals know that many people reuse PIN codes, much like they do with passwords.
My advice is to sit down and pick a different code for various places and items that you can easily remember. The important bit is that you really have to commit them to memory, but if this is too difficult, write them down somewhere safe. Turn them into phone numbers if you like, with only the last 4 numbers being of value or use the tried and tested obscuration method commonly known as bad handwriting.
Moving to unique 6-digit PIN codes is next (if you feel comfortable to) where possible for smartphone and computer PIN locks, though please avoid the silly ones like 123456 or 654321. It may help to sit down with a piece of paper and write out lots of different numbers between 000001 and 999999, you might find it helpful to enter into Google ‘random numbers between 000001 and 999999’ which will bring up their random number generator. Generate 20-30 numbers and see if any are to your liking (i.e. easily remembered) or tweak them until you find some that you can use. Just like the 4-digit PIN codes, please make sure you do not forget what you change the PIN code to, and if other trusted people know the old PIN code, tell them the new one so they don’t accidentally wipe your entering in your old code multiple times.
Despite all the constant news about new access control methods and the death of passwords, for the foreseeable future. PIN codes are not going away any time soon. We just need to get better at picking and remembering them.
For more security resources and advice, see: www.booleanlogical.com