PINs for passwords

31 Dec 2009 - 11:13am
4 years ago
8 replies
702 reads
Hugh Griffith
2007

Out of curiousity, does any know why we aren't using PIN numbers as internet
passwords? A huge percentage of people already have a banking PIN, and
they're much easier to remember. If they're secure enough to protect our
bank accounts, why aren't they good enough for the web?

I'm sure there's a reason out there, I just haven't heard it yet. (And
Google gives me nada.)

Hugh Griffith
User Interface Designer

Comments

31 Dec 2009 - 11:26am
Charles Boyung
2009

They are only secure enough because you can't easily write a program
to automatically run through them in the physical world like you can
on a computer. If you created a website that uses 4 to 6 digit
numbers as passwords, I could get into the site in a matter of hours.
A good hacker could probably do it in minutes.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from ixda.org (via iPhone)
http://www.ixda.org/discuss?post=48149

31 Dec 2009 - 11:39am
Gilles DEMARTY
2005

Hugh,

On Thu, Dec 31, 2009 at 5:13 PM, Hugh Griffith <hgriffith at vfs.com> wrote:

> Out of curiousity, does any know why we aren't using PIN numbers as
> internet
> passwords?

(rereading your post, i'm not sure if you're talking about PIN in context of
paiement card or to log in to the bank website, excuse me in advance if my
answer is off-topic.)

PIN numbers are usualy used with a paiement card.
* This means you must possess the card AND the PIN.
* Also, the card become unusable if you mistype your code 3 times.
=> That's why you can use it in this case. Noone can guess the PIN in 3
guesses.

On the contrary, on internet :
* Nowadays, program exists to try out any combinaison possible : the 1000
combinaisons available with 4 digits PIN can be tried in less than a second.
* It is rare to lock your account after x attemps. (why? because it is a
pain to unlock it afterward )
* this password is the only item you need to log in, so it is the weakest
link in the securing process.

All that put together explains why it is unwise to use a PIN code as a
password.

(
Follow-up:
There are only 3 ways to secure an asset :
* with something you know ( a password, a pin code)
* with something you possess ( a card, a certificate)
* with some part of you (your eye, your fingerprints, your DNA)
And the more the better.
)

If I've been unclear, let me know.

Gilles.
twitter.com/gillesdemarty

31 Dec 2009 - 11:39am
Dan Saffer
2003

I imagine it's basic encryption math.

For instance, a ten digit numeric password only has 10 to the 10th power (10,000,000,000) possible combinations.

A ten digit numeric and letter password, in contrast, has 10 to the 36th power or 1,000,000,000,000,000,000,000,000,000,000,000,000 possible combinations. And that's just English's 26 letters!

Your average 4 digit pin has only 4,000,000,000 possible combinations, which isn't particularly secure.

Dan

31 Dec 2009 - 11:44am
Jared M. Spool
2003

On Dec 31, 2009, at 11:39 AM, Dan Saffer wrote:

> I imagine it's basic encryption math.
>
> Your average 4 digit pin has only 4,000,000,000 possible
> combinations, which isn't particularly secure.

My math says you only get 10,000 combinations from a 4 digit PIN,
which I would imagine is even less secure.

Jared

31 Dec 2009 - 11:52am
Dan Saffer
2003

On Dec 31, 2009, at 8:44 AM, Jared Spool wrote:

> My math says you only get 10,000 combinations from a 4 digit PIN, which I would imagine is even less secure.

Math was never my strong suit. Stupid zeros!

31 Dec 2009 - 11:56am
Phil Chung
2007

PINs are sometimes used on the web (I've seen this in IVRs too) in combination with another piece(s) of personal information. See Delta.com for an example.

Out of curiousity, does any know why we aren't using PIN numbers as internet
passwords? A huge percentage of people already have a banking PIN, and
they're much easier to remember. If they're secure enough to protect our
bank accounts, why aren't they good enough for the web?

________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss at ixda.org
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

1 Jan 2010 - 8:33pm
jet
2008

PINs aren't actually that secure. They can be easily compromised in
all sorts of ways, do a search for "ATM pin vulnerability" or "ATM pin
theft" for gory details.

--
J. E. 'jet' Townsend, IDSA
Designer, Fabricator, Hacker
design: www.allartburns.org; hacking: www.flatline.net; HF: KG6ZVQ
PGP: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

8 Jan 2010 - 2:14pm
Loren Baxter
2007

We haven't mentioned context!

ATMs and some mobile apps use PINs, because they have more limited input
methods. Entering a secure, 10 digit password is tough without a full
keyboard. The 9 digit keypad provides a simple and accessible method of
entry, but we have to secure the PIN by adding additional layers of
security, such as swiping the card.

With a keyboard, however, we use the full range of characters and create
much stronger passwords, removing the need for additional layers.

- Loren

On Fri, Jan 1, 2010 at 5:33 PM, j. eric townsend <jet at flatline.net> wrote:

> PINs aren't actually that secure. They can be easily compromised in all
> sorts of ways, do a search for "ATM pin vulnerability" or "ATM pin theft"
> for gory details.
>
> --
> J. E. 'jet' Townsend, IDSA
> Designer, Fabricator, Hacker
> design: www.allartburns.org; hacking: www.flatline.net; HF: KG6ZVQ
> PGP: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
Loren Baxter
blog: http://acleandesign.com
business: http://engagebig.com
t: @lorenbaxter

Syndicate content Get the feed