If you use Windows 10, you may have noticed that you now have the option of signing in with a personal identification number (PIN) instead of a password. The same applies to the Apple Mac as well as many brands of smartphone. Which might lead you to wonder what exactly is a PIN and how does it differ from a password?
The use of PINS has grown with the popularity of mobile devices. Entering long usernames is a pain with a touchscreen, so a PIN presents a shorter, more usable experience. But a PIN isn’t necessarily the same as a password. Depending on the scenario, it has different applications.
There are many ways to implement PINs, but the most common is to link them to a specific physical asset, such as a computer, credit card or phone. Most of us had our first encounter with PINs when we first used an ATM card. In that case, the PIN is a form of two-factor authentication. The physical card is the first factor and the PIN provides an additional level of verification that the cardholder is authorized to use it.
PINs may be stored on a server or on the device itself. In the case of Windows 10, Microsoft uses a physical chip called a Trusted Platform Module that includes multiple physical security mechanisms and cryptographic algorithms to make it nearly impossible to compromise. The PIN is only stored on the client PC. This approach is more secure than validating on the server because an attacker would have to gain access to the computer itself to steal the PIN. Similarly, the new chip credit cards that are now being broadly deployed in the U.S. store the PIN locally so that there is no chance of a large-scale compromise at the server level.
A PIN usually consists of a string of between four and eight numbers, although variations may include letters and punctuation at the security administrator’s discretion. Why is four numbers the standard for most applications? Because the man who invented the ATM back in the 1960s found that his wife couldn’t remember more than four numbers. You can look it up.
Four numbers offers only 10,000 possible permutations, which you’d think would be a snap for a password cracker to defeat. In fact, it’s not so easy.
For one thing, PINs almost always require manual data entry. Attempting a brute force attack using a keyboard would quickly frustrate most intruders, not to mention cause painful hand cramps. Most systems that use PINs also specify a maximum number of access attempts before shutting down. For example, Apple’s iPhone gives you just six chances to enter a four-digit passcode. After that, the phone is disabled. Windows permits four incorrect attempts before requiring a restart, and multiple restarts will lock the machine.
So given four attempts to authenticate against the universe of 10,000 codes, the intruder has only a .04% chance of success. That’s why some people say PIN security is actually better than password security.
Which doesn’t mean you shouldn’t be careful. PINs demand the same level of care as passwords. Unfortunately, many people simply choose the easiest numbers that come to mind. Researchers at the data analysis firm Data Genetics found that the PINs “1234,” “1111” and “0000” accounted for nearly 20% of all the four-digit PINs they analyzed. In fact, “1234” was more popular than the least-used 4,200 codes combined. Human nature is difficult to change*.
Data Genetics also found that four-digit combinations starting with “19” rank above the 80th percentile in popularity. So using the year you were born is not a good idea.
Avoid easily guessed or researched PIN combinations, such as the last four digits of your Social Security number, your phone number or the day and month in which you were born. If you want to use a number that’s easy to remember, try an old phone number that can no longer be traced to you, or a combination of two numbers, such as your childhood street address and the grade on your sophomore year chemistry exam.
If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. Device makers are also broadening the number of options to now include fingerprint recognition, facial recognition and voice recognition. These are often good alternatives to PINs, but we recommend against making them your primary form of authentication. Researchers have demonstrated ways to compromise fingerprint scans with wax molds, and face- and voice-recognition technologies are not mature enough to replace two-factor authentication on their own.
With so many large-scale password breaches in the news, it’s nice to have a second level of protection.
*The Data Genetics blog post is well worth reading for its interesting tidbits about password length. For example, the fourth most popular seven-digit password is 8675309 which will resonate with 1980s rock fans. The 17th-most popular 10-digit password is “3141592654.” Look it up.