PIN/Password number analysis

[m0wgli]

Following a joke tweet I saw earlier in the week that “All credit card PIN numbers in the World leaked”, it got me thinking about how people actually choose PIN numbers/Passwords.

Whilst looking into this I came across the following article PIN number analysis:

http://www.datagenetics.com/blog/september32012/index.html

Based on a 4 digit PIN there are 10,000 choices, yet from a sample of 3.4 million 4 digit passwords nearly 11% were the password 1234.

From a table of the top twenty passwords found:

A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

(Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect the these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

Although the article refers to PIN numbers the data was obtained from user passwords:

Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes

Given human nature. I don't consider this an unreasonable assumption.

Personally I found the distribution of user choices fascinating given the available choice.

[Jamie.R]

Very interesting there is a really good talk about random numbers by Paco Hope. That I think relates to these types of topics. He basically explains how random functions are not really random and how things can be predicted. It is worth a look if you can find it online it should be on youtube when he gave it at bsidelondon last year.

[m0wgli]

Thanks for the recommendation. I actually caught Paco's presentation at B-Sides London: http://www.youtube.com/watch?v=Uc5nG1LAo0A

Paco kindly offered to do his talk when Kizz MyAnthia went AWOL for his Mapping The Penetration Tester's Mind: 0 to Root in 60 Minutes talk.

[Jamie.R]

Yep I saw the talk too