How secure are four and six-digit mobile phone PINs?
A German-American team of IT security researchers has investigated how users choose the PIN for their mobile phones and how they can be convinced to use a more secure number combination. They found that six-digit PINs actually provide little more security than four-digit ones. They also showed that the blacklist used by Apple to prevent particularly frequent PINs could be optimised and that it would make even greater sense to implement one on Android devices
Philipp Markert, Daniel Bailey, and Professor Markus Dürmuth from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum conducted the study jointly with Dr. Maximilian Golla from the Max Planck Institute for Security and Privacy in Bochum and Professor Adam Aviv from the George Washington University in the USA.
In the study, the researchers had users on Apple and Android devices set either four or six-digit PINs and later analysed how easy they were to guess. In the process, they assumed that the attacker did not know the victim and did not care whose mobile phone is unlocked. Accordingly, the best attack strategy would be to try the most likely PINs first.
Some of the study participants were free to choose their PIN at random. Others could only choose PINs that were not included in a blacklist. If they tried to use one of the blacklisted PINs, they received a warning that this combination of digits was easy to guess.
In the experiment, the IT security experts used various blacklists, including the real one from Apple, which they obtained by having a computer test all possible PIN combinations on an iPhone. Moreover, they also created their own more or less comprehensive blacklists.
It emerged that six-digit PINs do not provide more security than four-digit ones. A prudently chosen four-digit PIN is secure enough, mainly because manufacturers limit the number of attempts to enter a PIN. Apple locks the device completely after ten incorrect entries. On an Android smartphone, different codes cannot be entered one after the other in quick succession.
The researchers found 274 number combinations on Apple's blacklist for four-digit PINs. According to the researchers, the blacklist would make more sense on Android devices, as attackers can try out more PINs there.
The study has shown that the ideal blacklist for four-digit PINs would have to contain about 1,000 entries and differ slightly from the list currently used by Apple. The most common four-digit PINs, according to the study, are 1234, 0000, 2580 (the digits appear vertically below each other on the numeric keypad), 1111 and 5555.
On the iPhone, users have the option to ignore the warning that they have entered a frequently used PIN. The device, therefore, does not consistently prevent entries from being selected from the blacklist. For the purpose of their study, the IT security experts also examined this aspect more closely. Some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning. The others had to set a new PIN that was not on the list. On average, the PINs of both groups were equally difficult to guess.
Another result of the study was that four and six-digit PINs are less secure than passwords, but more secure than pattern locks. According to the study, the ten most popular four-digit PINs are: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998. The ten most popular six-digit PINs are: 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456, 159753.
(Content Courtesy: https://www.eurekalert.org/pub_releases/2020-03/rb-hsa031120.php)