Welcome Guest.
No account yet? Register
Who's Online
We have 52 guests and 3 members online

You are here:
 EH-Net
May 24, 2013, 03:28:29 PM
 News: Go back to The Ethical Hacker Network Online Magazine Home Page
 Pages: [1]   Go Down
 Author Topic: PIN/Password number analysis  (Read 2351 times) 0 Members and 1 Guest are viewing this topic.
m0wgli
Full Member

Offline

Posts: 248

 « on: September 26, 2012, 04:33:27 PM »

Following a joke tweet I saw earlier in the week that “All credit card PIN numbers in the World leaked”, it got me thinking about how people actually choose PIN numbers/Passwords.

Whilst looking into this I came across the following article PIN number analysis:

http://www.datagenetics.com/blog/september32012/index.html

Based on a 4 digit PIN there are 10,000 choices, yet from a sample of 3.4 million 4 digit passwords nearly 11% were the password 1234.

From a table of the top twenty passwords found:

Quote
A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

(Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect the these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

Although the article refers to PIN numbers the data was obtained from user passwords:

Quote
Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes

Given human nature. I don't consider this an unreasonable assumption.

Personally I found the distribution of user choices fascinating given the available choice.

 « Last Edit: September 27, 2012, 03:27:55 PM by m0wgli » Logged

Security + | OSWP | eCPPT | CSTA
Jamie.R
Sr. Member

Offline

Posts: 429

 « Reply #1 on: September 28, 2012, 04:11:56 AM »

Very interesting there is a really good talk about random numbers by Paco Hope. That I think relates to these types of topics. He basically explains how random functions are not really random and how things can be predicted. It is worth a look if you can find it online it should be on youtube when he gave it at bsidelondon last year.
 Logged

OSWP | Hackingdojo Nidan | eCPPT
m0wgli
Full Member

Offline

Posts: 248

 « Reply #2 on: September 28, 2012, 04:26:04 AM »

Thanks for the recommendation. I actually caught Paco's presentation at B-Sides London: http://www.youtube.com/watch?v=Uc5nG1LAo0A

Paco kindly offered to do his talk when Kizz MyAnthia went AWOL for his Mapping The Penetration Tester's Mind: 0 to Root in 60 Minutes talk.
 « Last Edit: September 28, 2012, 04:37:04 AM by m0wgli » Logged

Security + | OSWP | eCPPT | CSTA
Jamie.R
Sr. Member

Offline

Posts: 429

 « Reply #3 on: September 28, 2012, 06:27:16 AM »

Yep I saw the talk too
 Logged

OSWP | Hackingdojo Nidan | eCPPT
 Pages: [1]   Go Up

Page created in 0.062 seconds with 23 queries.

Exclusive Deal

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 Great! Better. About the same. Little worse. FUBAR!

EH-Net News Feeds