Your PIN May Not Be Uncrackable After All

Nick Berry, president of the data mining consulting company Data Genetics, recently wrote a blog post about how easy it to guess a person's four-digit PIN. Robert Siegel talks to Berry about his findings, the least popular PIN and why the password "1234" isn't such a great idea.

Copyright © 2012 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, HOST:

Pick a four-digit number. Pick a four-digit number that you won't forget so that you'll be able to use it as your password or your PIN. Since there are 10,000 four-digit numbers, the chance of someone guessing your PIN, and stealing your identity, or at least some of your money is pretty low, if your choice were random. But according to an interesting new piece of research, the thief's chances are a lot better than that.

An outfit called Data Genetics analyzed what they describe as a data base of 3.4 million exposed passwords, mostly for websites, passwords that had already been made public. And as Nick Berry, the president of Data Genetics wrote in his blog about this: People are notoriously bad at generating random passwords.

Nick Berry joins us from Seattle. Welcome to the program.

NICK BERRY: Thank you.

SIEGEL: And tell us, how bad are we at being random?

BERRY: Staggeringly unimaginative; the single most common password is 1-2-3-4 and over 10 percent of all cards use that particular number. So if you came across an ATM card laying on the floor, picked it up, you've got a one in 10 chance if you type 1-2-3-4 of getting the correct number. And it gets worse than that. Using just five numbers you could get up to 20 percent of the cards.

And to get up to 50 percent of all the card numbers, you'd only need to try 426 distinct codes.

(LAUGHTER)

SIEGEL: Only 426?

BERRY: Only 426?

SIEGEL: I gather 2-2-2-2, 8-8-8-8, these are all fairly common passwords.

BERRY: All the common passwords seem to be things that are very easy for people to remember; sequential numbers, all the same digits. What's also interesting, as well, is people seem to think that using their date of birth or an anniversary dates is also a random number. But it's not really. If you look at the data, all the years starting 19-something-something occur in the top 20 percent of all exposed card numbers.

SIEGEL: These are patterns that we understand. Were there patterns that turned up that you had to go research and find out why those four digits were so common?

BERRY: Yeah, I started at the top of the list. And the first one that made me scratch my head was 2-5-8-0. And I'm thinking, what's particularly significant about that? And then you see that 2-5-8-0 is right down the middle of the numeric keypad. The other one which I scratched my head off for quite a while, it was 1004. And I couldn't understand why 1004 - what is significant about that? And 1004 is the Korean word for angel. So a lot of people in Korea seem to use that number.

SIEGEL: Now, there are 10,000 four-digit numbers and you had over three million four-digit numbers that people had selected. You've told us about the ones that are the most common and that are most used. What astonished me is that there'd be a number at the bottom of the heap, as something that was least used you can find.

BERRY: If you arrange all the pin numbers based on their frequency from the most common at the top, to the least common at the bottom, the number that appears right on the bottom of the list is 8-0-6-8. And that was the one that statistically is the least significant number that was chosen. It would now be a bad number to use because, of course, people will read an article like this...

(LAUGHTER)

BERRY: ...and if anybody now thinks of using number as the least significant number then, of course, people will now know that and use that to their advantage and put it higher up the list again.

SIEGEL: Now, this is what you learned about four digit PINs and passwords. You also looked at some seven-digit and 10-digit number databases. Do we get more original there?

BERRY: Surprisingly not. When the passwords get longer, people tend to find them harder to remember. So the repeated 1-1-1-1, 2-2-2-2, suddenly get higher up on the list. Things that you do find our interesting, there was a famous song in the '80s, "867-5309," and that is the fourth most popular seven-digit password. As we get up to 10-digit passwords, people use things like pi, 314159265, that make it easier to remember.

SIEGEL: That song may tell us something about the median age of people who have passwords also, for whatever website.

BERRY: I think it does, yes.

SIEGEL: Well, Mr. Berry, thank you very much for talking with us about it.

BERRY: Thank you very much.

SIEGEL: That's Nick Berry, the president of Data Genetics, telling us from Seattle about how uncreative we are when it comes to picking numbers.

(SOUNDBITE OF SONG, "867-5309")

TOMMY TUTONE: (Singing) Jenny, don't change your number. 867-5309. 867-5309. 867-5309. 867-5309. Jenny, Jenny, you're the girl for me. Oh, you don't know me but you make me so happy...

Copyright © 2012 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: