.

## PIN/Password number analysis

Sr. Member

Posts: 307

Joined: Fri Jul 20, 2012 3:34 pm

Wed Sep 26, 2012 4:33 pm

### PIN/Password number analysis

Following a joke tweet I saw earlier in the week that “All credit card PIN numbers in the World leaked”, it got me thinking about how people actually choose PIN numbers/Passwords.

Whilst looking into this I came across the following article PIN number analysis:

http://www.datagenetics.com/blog/septem ... index.html

Based on a 4 digit PIN there are 10,000 choices, yet from a sample of 3.4 million 4 digit passwords nearly 11% were the password 1234.

From a table of the top twenty passwords found:

A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

(Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect the these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

Although the article refers to PIN numbers the data was obtained from user passwords:

Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes

Given human nature. I don't consider this an unreasonable assumption.

Personally I found the distribution of user choices fascinating given the available choice.
Last edited by m0wgli on Thu Sep 27, 2012 3:27 pm, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA

Sr. Member

Posts: 434

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Fri Sep 28, 2012 4:11 am

### Re: PIN/Password number analysis

Very interesting there is a really good talk about random numbers by Paco Hope. That I think relates to these types of topics. He basically explains how random functions are not really random and how things can be predicted. It is worth a look if you can find it online it should be on youtube when he gave it at bsidelondon last year.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er

Sr. Member

Posts: 307

Joined: Fri Jul 20, 2012 3:34 pm

Fri Sep 28, 2012 4:26 am

### Re: PIN/Password number analysis

Thanks for the recommendation. I actually caught Paco's presentation at B-Sides London: http://www.youtube.com/watch?v=Uc5nG1LAo0A

Paco kindly offered to do his talk when Kizz MyAnthia went AWOL for his Mapping The Penetration Tester's Mind: 0 to Root in 60 Minutes talk.
Last edited by m0wgli on Fri Sep 28, 2012 4:37 am, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA

Sr. Member

Posts: 434

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Fri Sep 28, 2012 6:27 am

### Re: PIN/Password number analysis

Yep I saw the talk too
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er