Our security analyst recently shared this at our Lexington Team Huddle, which makes for a good information to know if you want to create a strong PIN code. This content is from a blog post by DataGenetics. If you love statics, you must read the entire post, PIN number analysis (datagenetics.com); it’s fantastic.
We create PINs to lock our phone, to get money out of an ATM, to get into our computers, to enter websites, etc. The length of many PINs are only 4 digits, which means there’s 10,000 possible combinations of digits 0 – 9.
Are you creating strong PINs?
We are going to find out now.
Unfortunately, there have been numerous breaches with data posted to the dark web in “clear text”, that means unencrypted plain text. In other words, cyber-criminals can clearly see your password.
Data Genetics looked at password tables from these security breaches. When examining the database of close to 7 million all-numeric passwords, approximately half of them were the four-digit codes that were examined. We are fairly certain theses same 4-digit passwords are also used for PINs. Whether it is creating passwords or PINS, people are generally very bad at doing so.
This is what they found.
First people preferred even numbers, like 2468 over odd, like 1357.
Many use what seems to be a year as their PIN, with 1972 being the most popular (think of birthdays, anniversaries). Every combination starting with “19” can be found in the top 20% of passwords.
They also like to repeat numbers, like 0101 or 5555.
Does this sound like something YOU do when creating PINs and Passwords?
The most popular password is 1234. Nearly 11% of the 3.4 million passwords are 1234. That is 374,000! It was found more often than the lowest 4,200 codes combined.
The second most popular 4-digit PIN is 1111 at almost 6% (204,000).
With 10,000 combinations, these top 20 combinations below would make up 0.2% of the total. What they found is the top 20 make up over 26%!
So, how easy is it to figure out PINs?
| Rank | PIN | Freq |
| #1 | 1234 | 10.713% |
| #2 | 1111 | 6.016% |
| #3 | 0000 | 1.881% |
| #4 | 1212 | 1.197% |
| #5 | 7777 | 0.745% |
| #6 | 1004 | 0.616% |
| #7 | 2000 | 0.613% |
| #8 | 4444 | 0.526% |
| #9 | 2222 | 0.516% |
| #10 | 6969 | 0.512% |
| #11 | 9999 | 0.451% |
| #12 | 3333 | 0.419% |
| #13 | 5555 | 0.395% |
| #14 | 6666 | 0.391% |
| #15 | 1122 | 0.366% |
| #16 | 1313 | 0.304% |
| #17 | 8888 | 0.303% |
| #18 | 4321 | 0.293% |
| #19 | 2001 | 0.290% |
| #20 | 1010 | 0.285% |
As you can see, even when making a longer password, humans are still very predictable. Longer passwords are better than short ones, but they need to be random and you can’t remember all of them. Use a Password Management Application (like 1Password) and make your password life easier and your cyber-defense stronger.
| # | 5 | 6 | 7 | 8 | 9 | 10 | ||||||
| PSWD | % | PSWD | % | PSWD | % | PSWD | % | PSWD | % | PSWD | % | |
| #1 | 12345 | 22.802% | 123456 | 11.684% | 1234567 | 3.440% | 12345678 | 11.825% | 123456789 | 35.259% | 1234567890 | 20.431% |
| #2 | 11111 | 4.484% | 123123 | 1.370% | 7777777 | 1.721% | 11111111 | 1.326% | 987654321 | 3.661% | 0123456789 | 2.323% |
| #3 | 55555 | 1.769% | 111111 | 1.296% | 1111111 | 0.637% | 88888888 | 0.959% | 123123123 | 1.587% | 0987654321 | 2.271% |
| #4 | 00000 | 1.258% | 121212 | 0.623% | 8675309 | 0.465% | 87654321 | 0.815% | 789456123 | 1.183% | 1111111111 | 2.087% |
| #5 | 54321 | 1.196% | 123321 | 0.591% | 1234321 | 0.220% | 00000000 | 0.675% | 999999999 | 0.825% | 1029384756 | 1.293% |
| #6 | 13579 | 1.112% | 666666 | 0.577% | 0000000 | 0.188% | 12341234 | 0.569% | 147258369 | 0.591% | 9876543210 | 0.971% |
| #7 | 77777 | 0.618% | 000000 | 0.521% | 4830033 | 0.158% | 69696969 | 0.348% | 741852963 | 0.455% | 0000000000 | 0.942% |
| #8 | 22222 | 0.454% | 654321 | 0.506% | 7654321 | 0.154% | 12121212 | 0.320% | 111111111 | 0.425% | 1357924680 | 0.479% |
| #9 | 12321 | 0.412% | 696969 | 0.454% | 5201314 | 0.128% | 11223344 | 0.293% | 123454321 | 0.413% | 1122334455 | 0.441% |
| #10 | 99999 | 0.397% | 112233 | 0.417% | 0123456 | 0.124% | 12344321 | 0.275% | 123654789 | 0.378% | 1234512345 | 0.402% |
| #11 | 33333 | 0.338% | 159753 | 0.283% | 2848048 | 0.124% | 77777777 | 0.262% | 147852369 | 0.356% | 1234554321 | 0.380% |
| #12 | 00700 | 0.261% | 292513 | 0.250% | 7005425 | 0.120% | 99999999 | 0.223% | 111222333 | 0.304% | 5555555555 | 0.259% |
| #13 | 90210 | 0.244% | 131313 | 0.235% | 1080413 | 0.111% | 22222222 | 0.219% | 963852741 | 0.255% | 1212121212 | 0.244% |
| #14 | 88888 | 0.217% | 123654 | 0.228% | 7895123 | 0.107% | 55555555 | 0.205% | 321654987 | 0.253% | 9999999999 | 0.231% |
| #15 | 38317 | 0.216% | 222222 | 0.212% | 1869510 | 0.102% | 33333333 | 0.176% | 420420420 | 0.241% | 2222222222 | 0.219% |
| #16 | 09876 | 0.185% | 789456 | 0.209% | 3223326 | 0.100% | 44444444 | 0.165% | 007007007 | 0.227% | 7777777777 | 0.206% |
| #17 | 44444 | 0.179% | 999999 | 0.194% | 1212123 | 0.096% | 66666666 | 0.160% | 135792468 | 0.164% | 3141592654 | 0.195% |
| #18 | 98765 | 0.169% | 101010 | 0.190% | 1478963 | 0.088% | 11112222 | 0.140% | 397029049 | 0.158% | 3333333333 | 0.186% |
| #19 | 01234 | 0.160% | 777777 | 0.188% | 2222222 | 0.085% | 13131313 | 0.131% | 012345678 | 0.154% | 7894561230 | 0.165% |
| #20 | 42069 | 0.154% | 007007 | 0.186% | 5555555 | 0.082% | 10041004 | 0.127% | 123698745 | 0.152% | 1234567891 | 0.161% |
To get people to make better passwords, we taught them to replace letters and numbers with symbols, like in the first box of the below cartoon.
This example would take 3 days at 1000 guesses/second to crack. You can have more fun HERE seeing how long it would take to crack a password you create.
This approach has a huge flaw since we use common substitutions which makes it easy to program a computer to hack.
Finally, in 2017, we got new password recommendations, but unfortunately they haven’t been embraced very well.
The lower box in the cartoon demonstrates how Four Random Common Words put together make a password that would take 550 years to crack at 1000 guesses/second.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”