[cryptography] [OT] A birthday present every eleven wallets?

Jeffrey Walton noloader at gmail.com
Sat Feb 25 12:09:20 EST 2012


Abstract. We provide the first published estimates of the diculty of
guessing a human-chosen 4-digit PIN. We begin with two large sets of
4-digit sequences chosen outside banking for online passwords and
smartphone unlock-codes. We use a regression model to identify a small
number of dominant factors in uencing user choice. Using this model
and a survey of over 1,100 banking customers, we estimate the
distribution of banking PINs as well as the frequency of
security-relevant behaviour such as sharing and reusing PINs. We 
that guessing PINs based on
the victims' birthday, which nearly all users carry documentation of,
will enable a competent thief to gain use of an ATM card once for
every 11-18 stolen wallets, depending on whether banks prohibit weak
PINs such as 1234. The lesson for cardholders is to never use one's
date of birth as a PIN. The lesson for card-issuing banks is to
implement a denied PIN list, which several large banks still fail to
do. However, blacklists cannot effectively mitigate guessing given a
known birth date, suggesting banks should move away from
customer-chosen banking PINs in the long term.

More information about the cryptography mailing list