This PIN Can Be Easily Guessed

11.03.2020 - Philipp Markert

Our latest work on the security of 4- and 6-digit PINs and the effect of blacklists is now available online at https://this-pin-can-be-easily-guessed.github.io/ (news coverage can be found in English [1], [2], [3] and German [4], [5], [6]). The results will be presented at this year's IEEE Symposium on Security and Privacy in San Francisco.

In our study, we found that there is little benefit to longer 6-digit PINs as compared to 4-digit PINs. Participants tended to select more-easily guessed 6-digit PINs when considering the first 40 guesses of an attacker. Moreover, our results show that currently employed PIN blacklists are ineffective. Through quantitative and qualitative feedback, we found that participants perceive that blacklisting will improve their PINs without impacting usability.