Wednesday, February 22, 2012

The Security of 4-Digit PINs

From Bruce Schneier ... "1234" and Birthdays Are the Most Common PINs
Research paper: “A birthday present every eleven wallets? The security of customer-chosen banking PINs,” by Joseph Bonneau, Sören Preibusch, and Ross Anderson:
Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. ... We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

- Posted using BlogPress from my iPhone

No comments:


Related Posts Plugin for WordPress, Blogger...