Skip

And change the combination on my luggage!
September 19, 2012 12:11 PM   Subscribe

What are the most common and least common 4-digit PINs? Using data from recent password database leaks, an analysis of PINs. (via Schneier)
posted by fings (91 comments total) 48 users marked this as a favorite

 
This is presumably why I have to look at a picture, type a pass phrase and user number, and also mouse-click my 6-digit PIN to log into my bank account these days.
posted by carsonb at 12:16 PM on September 19, 2012


Interesting article and +12345 points for the post title.
posted by dabug at 12:20 PM on September 19, 2012 [6 favorites]


Bosco.
posted by ColdChef at 12:21 PM on September 19, 2012 [9 favorites]


I recently stopped using the same PIN that I started using when I set up my first debit card 20 years ago in high school. I miss that PIN.
posted by Burhanistan at 12:22 PM on September 19, 2012 [1 favorite]


Bosco

That episode always bothered me. When did ATMs use alphas?
posted by inturnaround at 12:22 PM on September 19, 2012 [4 favorites]


I actually really like that analysis... so of course I have to minorly nitpick at it:
A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!
Presuming from context that by 'all passwords' he means 'all PIN codes,' I think there's an unspoken assumption here - that the sample of users who use a 4-digit number as their password is a reasonable representation of all people who have to use a 4-digit banking PIN code. I would want to see a more rigorous analysis of this assumption before accepting it, because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords.
posted by muddgirl at 12:23 PM on September 19, 2012 [2 favorites]


I was using dates of wars for a long time. And then I ran out of wars (or at least wars whose dates I could actually remember),* which should say something about having too many pins that you have to change on a regular basis. Now I'm on to massacres. I don't think I'm going to run out of those.


*Which was a surprising number. Thank you history teachers!
posted by lesbiassparrow at 12:26 PM on September 19, 2012 [4 favorites]


because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords.

The hacked passwords were leaked by having the master database compromised, not the individual passwords.
posted by Tell Me No Lies at 12:28 PM on September 19, 2012


I actually really like that analysis... so of course I have to minorly nitpick at it:

A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!
Plus you have to remember that most debit cards/ATM cards are automatically deactivated after 3 or so incorrect PIN entries. So even if every card in the world had one of those 20 combinations, the chances of correctly guessing the pin before the card was locked down would only be 3 in 20, or 15%.
posted by Vorteks at 12:28 PM on September 19, 2012


The people with the least-frequently used PIN number are cursing right now. Nice going, Analysts!
posted by GenjiandProust at 12:29 PM on September 19, 2012 [3 favorites]


Yes, this is flawed. It should probably be titled "what idiots who can't pick passwords use for their passcodes", but even setting this aside it's quite rational to have a easy to remember code for a junk commenting account and still have at least a birthdate or something more than 0000 on one's ATM cards.
posted by jaduncan at 12:29 PM on September 19, 2012 [1 favorite]


Dang, I'm not in the top twenty, but choosing my 9th grade locker number does indeed put me in the huge 19XX segment of the population. Maybe next time I have to replace my debit card I'll switch it up.
posted by Ceci n'est pas un sockpuppet at 12:30 PM on September 19, 2012


My nine-year-old daughter's friend was over one day with her iPod Touch. She had activated the access code function and was amazed when my daughter "cracked" it on the first try. 1234. So she challenged my daughter to create an access code on her iPhone (an older, bricked one) so she could attempt to break into it. My daughter used our street address and her poor friend was unable to get it. I was amazed at how brilliant her friend thought my daughter was for being able to do that.
posted by perhapses at 12:30 PM on September 19, 2012 [3 favorites]


One of the nice things about memorizing the first 50 digits of Pi was that it generates a lot of nice 'random' 4-digit numbers (although if a hacker knew I was using that scheme, it would be more vulnerable). Note to hackers: I don't use that scheme anymore.
posted by muddgirl at 12:30 PM on September 19, 2012 [3 favorites]


Highly amused by the prominence of 8675309 in the 7-digit list.
posted by figurant at 12:31 PM on September 19, 2012 [10 favorites]


"what idiots who can't pick passwords use for their passcodes"

Don't forget people with Credit Union-issued cards that use those networked standalone ATMs. Some of those cards are issued with a set PIN and it's a real hassle to get them changed.
posted by carsonb at 12:32 PM on September 19, 2012


I created my PIN using two related math facts: first using the first two-digit number to be surrounded by primes, then following those two digits with the smallest number to be surrounded by numbers with the same number of divisors as it has. Guaranteed unguessable! Foolproof!
posted by Shepherd at 12:32 PM on September 19, 2012 [8 favorites]


Good thing no one here uses estimates of physical constants as a PIN!
posted by shothotbot at 12:34 PM on September 19, 2012


Am I the only one disappointed that there's no link to the full list?
posted by kjh at 12:34 PM on September 19, 2012 [10 favorites]


I just use what the bank assigns, on the theory that it will be truly random. Although I should probably nudge them to make something longer, as four digits is awfully short.
posted by Malor at 12:35 PM on September 19, 2012


Note to hackers: I don't use that scheme anymore.

Who do you think you are fooling with that disclaimer?
posted by GenjiandProust at 12:35 PM on September 19, 2012


Although I should probably nudge them to make something longer, as four digits is awfully short.

Good luck with that; it will only happen when an incredibly wide base of installed hardware and code assumptions finally die out. People get annoyed if their PIN suddenly doesn't work on their holiday in Fiji.
posted by jaduncan at 12:37 PM on September 19, 2012


My PIN used to be the first word I'd say when I realized I'd forgotten my PIN.
posted by logicpunk at 12:37 PM on September 19, 2012 [2 favorites]


That episode always bothered me. When did ATMs use alphas?

The bank my family used twenty-five years ago had ATMs with telephone-style number pads that had letters over the numbers and everything. We able to choose a five-digit PIN too, so our ATM passcode became 74337. We raised sheep, y'see.

I feel perfectly safe giving out this information considering that today the bank account, family unit and indeed the bank itself do not exist in their 1987 configurations. Unless you're a stinking time-traveller in which case oh well, have fun, but please leave enough for us to go to Disney World in 1988 because that was really awesome.

At the time I remember being more impressed by the fact that we were able to choose our PIN, because before that we had to memorize the one the bank gave us and what fun was that?
posted by Spatch at 12:38 PM on September 19, 2012 [5 favorites]


My PIN used to be the first word I'd say when I realized I'd forgotten my PIN.

"Ouch"?
posted by Holy Zarquon's Singing Fish at 12:39 PM on September 19, 2012


because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords.

The hacked passwords were leaked by having the master database compromised, not the individual passwords.


I don't think muddgirl's point was about "these people were dumb enough to have their password compromised"; it was "these people were dumb enough to have chosen a 4-digit password".

People can have whatever they want for their password. Some people, for whatever reason, choose 4-digit numbers for their passwords instead of "correct horse battery staple" or whatever. Those people may be predisposed to picking weak PINs; after all, we already know that they chose a weak password.
posted by Jpfed at 12:40 PM on September 19, 2012


I found this tid-bit interesting that these ATM PINs may have come via Korea.
kijin via the Hacker News post:
If you're wondering why 1004, a seemingly random number, is so close to the top of the list -- something that the author does not investigate in any detail -- my guess is that the database he used contains some major leaks from Korea. 1004 is a fairly popular password there, because it is one of the few 4-digit numbers that sound like actual words in Korean. 1004 sounds like "angel" (cheonsa).

So if you're actually trying to break into people's accounts, it would be advantageous to know your victims' ethnicity. It's quite likely that cards stolen in Koreatown will have a different distribution of PIN numbers than those stolen in Chinatown.
posted by wcfields at 12:41 PM on September 19, 2012 [16 favorites]


Why is "1004" so high on the list? The analysis doesn't make any special note of it, but it's the only one in the top 10 that isn't just a repeated number or "1234"
posted by theodolite at 12:44 PM on September 19, 2012 [1 favorite]


Thanks wcfields for answering my question while I was still typing it.
posted by theodolite at 12:45 PM on September 19, 2012 [6 favorites]


When I got my first bank account, I used my boyfriend's birthday for the PIN. Only it turns out I remembered his birthday wrong, so my PIN is actually "That one date when I thought my boyfriend was born." And then we broke up shortly afterwards.

How about THAT for security!
posted by nebulawindphone at 12:45 PM on September 19, 2012 [6 favorites]


A actual criminal asked me this once. He was a guy who hung around my building, just kind of loafing.

He knew I was some kind of computer whiz and asked me, "if you had a debit card you found in an envelope in a pile of mail, how could you get the pin". I told him he could never guess it at the ATM, search the rest of the mail for the second letter that contained the PIN.

A couple weeks later I heard my mom complaining on the phone about mysterious 500$ debits on her card.

I felt like a real dick. I had to confess I had told the guy how to steal her money.
posted by Ad hominem at 12:48 PM on September 19, 2012 [20 favorites]


Why is "1004" so high on the list?

That's a big 10-4, good buddy!
posted by ColdChef at 12:49 PM on September 19, 2012 [2 favorites]


I felt like a real dick.
posted by Ad hominem at 2:48 PM on September 19 [+] [!]


Eponysterical!

On topic: I find it intriguing that on average the least common 4-digiters are significantly larger numbers than the most common 4-digiters.
posted by AugieAugustus at 12:51 PM on September 19, 2012


it was "these people were dumb enough to have chosen a 4-digit password"

I hesitate to use the word "dumb" (because if I need a password for a site that cares so much about security that they're storing passwords in clear text, there's no reason to waste my time on a super-strong password, as long as it's unique) - but essentially, yes. I don't think it's axiomatic that a sample of weak passwords is representative of all PIN numbers.
posted by muddgirl at 12:53 PM on September 19, 2012


See also Benford's Law.
posted by whuppy at 12:56 PM on September 19, 2012 [1 favorite]


Blah blah blah luggage!
posted by Sys Rq at 12:57 PM on September 19, 2012


I happily used 8 digit PINs for by bank card for years, thinking I was clever, until I travelled overseas and had no way to access my money, nor any way to change the PIN remotely. Anybody know how pervasive >4 digit PINs are overseas these days? I figure Europe's fine, but what about Asia?
posted by WaylandSmith at 12:59 PM on September 19, 2012


It's hard for me to remember the actual digits in my PIN; I just push the same twisty line of buttons each time and rely on the fact that the number keys are always in the same configuration.
posted by ceribus peribus at 1:01 PM on September 19, 2012 [4 favorites]


I do all my PINs in hex.
posted by blue_beetle at 1:03 PM on September 19, 2012


Oh, and just FYI: Using a PIN made up of numbers, or by the position of the keys, is a great idea until you inevitably run into that machine with the letters on different numbers, or the keys in a different order, and then you're fucked.
posted by Sys Rq at 1:04 PM on September 19, 2012 [1 favorite]


I created my PIN using two related math facts: first using the first two-digit number to be surrounded by primes, then following those two digits with the smallest number to be surrounded by numbers with the same number of divisors as it has. Guaranteed unguessable! Foolproof!

I see what you did there.
posted by inigo2 at 1:04 PM on September 19, 2012


Ugh. Made up of LETTERS. D'doy.
posted by Sys Rq at 1:04 PM on September 19, 2012


Oh, and just FYI: Using a PIN made up of numbers, or by the position of the keys, is a great idea until you inevitably run into that machine with the letters on different numbers, or the keys in a different order, and then you're fucked.
This happened to me decades ago when I had a phone number memorized by the keypress positions, and I was faced with a rotary phone dial.
My solution- I drew out a picture of a phone keyboard, and then watched as my muscle memory took over.
posted by MtDewd at 1:07 PM on September 19, 2012 [5 favorites]


It pleases me that this shows the statistical insignificance of Canada, as every Canadian male over the age of 36 has the PIN '2112'.
posted by scruss at 1:09 PM on September 19, 2012 [12 favorites]


My solution- I drew out a picture of a phone keyboard, and then watched as my muscle memory took over.

My solution was to stubbornly keep trying the same wrong thing until I hit my maximum tries (there is such a thing, apparently) and had to go to the bank and reset my code.
posted by Sys Rq at 1:14 PM on September 19, 2012 [1 favorite]


This happened to me decades ago when I had a phone number memorized by the keypress positions, and I was faced with a rotary phone dial.
I used to have that problem with BBS phone numbers. I knew them by typing them on the numbers at the top of my keyboard. But if someone asked me for a BBS number, I'd have to pretend-type to recreate them.
posted by Karmakaze at 1:15 PM on September 19, 2012 [1 favorite]


I find that pins I set using a phone or at a bank are different than numerical pins on a pc due to the different keypad configurations. (Why do keyboard number pads have a orientation anyway? )
posted by Harpocrates at 1:23 PM on September 19, 2012


I don't think muddgirl's point was about "these people were dumb enough to have their password compromised"; it was "these people were dumb enough to have chosen a 4-digit password".

People can have whatever they want for their password.


Ah, I see the confusion. Unfortunately your second statement is untrue. Many ATM machines around the world require a four digit pin. I found that out the hard way when I went on an extended multi-country trip and was frequently unable to access funds due to my 6 digit pin.

If as has been suggested this sample was obtained from Korea the users likely had no say in the pin length.
posted by Tell Me No Lies at 1:24 PM on September 19, 2012


Ah, I see the confusion. Unfortunately your second statement is untrue. Many ATM machines around the world require a four digit pin. I found that out the hard way when I went on an extended multi-country trip and was frequently unable to access funds due to my 6 digit pin.

The article did not use actual PINs for its analysis though. Of course PINs are often restricted to four digits. But this used compromised passwords, not compromised PINs.

From the article, my emphasis:
Obviously, I don’t have access to a credit card PIN number database. Instead I’m going to use a proxy. I’m going to use data condensed from released/exposed/discovered password tables and security breaches.
posted by Jpfed at 1:27 PM on September 19, 2012 [2 favorites]


Heh. My ATM card's pin is one of the five least used pins. Guess I'll change it to 1235.
posted by klangklangston at 1:47 PM on September 19, 2012 [2 favorites]


I'm relieved my PIN was on none of the lists. I use the day of my two favorite holidays... one of my fav holidays is obscure.
posted by _paegan_ at 1:57 PM on September 19, 2012


I'm not telling any of you a goddamned thing about my PIN.
posted by adamdschneider at 2:03 PM on September 19, 2012 [9 favorites]


Obviously, I don’t have access to a credit card PIN number database. Instead I’m going to use a proxy. I’m going to use data condensed from released/exposed/discovered password tables and security breaches.

Ah, missed that. I retract my earlier statements.
posted by Tell Me No Lies at 2:35 PM on September 19, 2012


I recently changed both PINS to the same thing. I laugh at danger!
posted by deborah at 2:43 PM on September 19, 2012


I'm not telling any of you a goddamned thing about my PIN.

Too late — you just did!

Quick, scan his comment history! Figure out which four-digit numbers he hasn't told us anything about!
posted by nebulawindphone at 2:47 PM on September 19, 2012 [4 favorites]


Why is "1004" so high on the list?

A lot of people are fans of comb jellies?
posted by kurumi at 2:56 PM on September 19, 2012 [2 favorites]


I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150.

Because everyone remembers when Van Halen started to suck, and it was 5150.
posted by mathowie at 3:10 PM on September 19, 2012 [1 favorite]


I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150.

...and with that one foolish slip, admin privileges are MINE!
posted by percor at 3:14 PM on September 19, 2012 [1 favorite]


Not so fast - his MeFi password is an unhackable three digits!
posted by Holy Zarquon's Singing Fish at 3:16 PM on September 19, 2012


Stay gold, the 0.154% of five-digit grown-ups using 42069.
posted by carbide at 3:27 PM on September 19, 2012 [2 favorites]


You mean the entire population of Melber, Kentucky?
posted by nebulawindphone at 3:31 PM on September 19, 2012 [5 favorites]


Why do keyboard number pads have a orientation anyway?

As in why are they different? Because one was based on the layout of calculators and the other on rotary phones.
posted by garius at 3:56 PM on September 19, 2012


As the only thing closest to an IT guy we had, I was The Administrator to our modest network.

Then one day I was sick, and you guessed it - the server went kerflooey and nobody could do a thing about it. The boss called me at home, and asked for my password, but I had no idea what it was. I used a pattern of jagged lines on the keyboard. I had to climb out of bed and find a keyboard before I could tell him what the password was.
posted by Xoebe at 4:05 PM on September 19, 2012 [2 favorites]


Bosco

That episode always bothered me. When did ATMs use alphas?


That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense.
posted by Ike_Arumba at 4:31 PM on September 19, 2012


Agh, I wish he would edit that thing to replace every instance of "PIN number" with "PIN." 'Cause otherwise, this is a great piece.
posted by limeonaire at 4:54 PM on September 19, 2012 [1 favorite]


I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150.

I'm glad you're not from California, where a 5150 is a 72-hour involuntary psychiatric hold. (I spent a summer in college doing data entry at a state hospital. I must have typed that number many thousand times.)
posted by benito.strauss at 4:59 PM on September 19, 2012 [2 favorites]


Wait, wait. It took until the 24th comment, nearly five hours after it was posted on MetaFilter, for anyone to say anything about the "PIN Number" thing? How is this possible?

<soapbox>Remember kids, it's 'PIN', not 'PIN Number'. You wouldn't say 'Personal Identification Number Number', so for the love of Christ don't say 'PIN Number'. Same deal with 'ATM Machine', 'NIC Card', etc.</soapbox>
posted by ob1quixote at 5:39 PM on September 19, 2012


That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense.

And what's the deal with sitcoms that don't adhere to reality? I mean, their writers are human. I know they've seen an ATM. Who are these people?
posted by Rodrigo Lamaitre at 5:41 PM on September 19, 2012


I ctl+f'd the article for my PIN. It did not appear.
posted by sourwookie at 5:49 PM on September 19, 2012


[steals mathowie's bank card, panics, spends 15 minutes trying to type OU812 into an ATM]
posted by Shepherd at 6:05 PM on September 19, 2012 [1 favorite]


Not a PIN, but I suppose that "E=MC2" would not be a good password?
posted by lungtaworld at 6:18 PM on September 19, 2012


Remember kids, it's 'PIN', not 'PIN Number'. You wouldn't say 'Personal Identification Number Number', ....

<steals_soapbox>
But I would definitely say "PIN number". As do millions of others, and we are all perfectly well understood. The goal of language is communication and clarity; efficiency is way down on the scale of what's important. In fact we throw in tons of redundancy to ensure the robustness of our language — each letter conveys about 1 bit of information, which we wastefully encode with log2 26 ≈ 4.7 bits.
</steals_soapbox>

posted by benito.strauss at 6:21 PM on September 19, 2012 [6 favorites]


Don't forget people with Credit Union-issued cards that use those networked standalone ATMs. Some of those cards are issued with a set PIN and it's a real hassle to get them changed.

I recall reading once (I think it may have been in The Register) that, for a while in the 1980s, all bank cards issued in the UK were factory-set to one of three PINs. When this was discovered, the powers that be had to quickly scrap and reissue all the cards before anyone realised exactly the reason for the recall and the financial system collapsed.
posted by acb at 6:24 PM on September 19, 2012 [2 favorites]


Am I the only one disappointed that there's no link to the full list?

Oh I've got a copy. Shoot me your PIN and I'll look it up for you.
posted by Lentrohamsanin at 6:24 PM on September 19, 2012 [3 favorites]


The price of a cheese pizza and a large soda at Panucci's Pizza.
posted by RobotHero at 6:57 PM on September 19, 2012 [5 favorites]


My solution was to stubbornly keep trying the same wrong thing until I hit my maximum tries (there is such a thing, apparently) and had to go to the bank and reset my code.

Me too! Except this particular ATM was in a Barcelona train station, and my nearest bank branch was 6000 miles away.
posted by googly at 6:57 PM on September 19, 2012


I suppose that "E=MC2" would not be a good password?

It definitely would not be. The RockYou password list includes: e=mc2, e=mc^2, e=mc2**, and e=mcsquared, and password crackers regularly check upper and lower case versions of passwords.
posted by fings at 7:21 PM on September 19, 2012


Hurrah for math! In position #17 of the ten digit password list we get 3141592654 (The first few digits of Pi)
Math schmath— those aren't even the correct digits!
posted by yaymukund at 8:06 PM on September 19, 2012


Math schmath— those aren't even the correct digits!

That's the beauty of it - no one things to check the wrong digits of pi!
posted by muddgirl at 8:32 PM on September 19, 2012 [3 favorites]


Vorteks: Plus you have to remember that most debit cards/ATM cards are automatically deactivated after 3 or so incorrect PIN entries. So even if every card in the world had one of those 20 combinations, the chances of correctly guessing the pin before the card was locked down would only be 3 in 20, or 15%.

Right, but 15% is a really high number! Given that bank cards are relatively easy to steal (you can pickpocket wallets or install skimmers on ATMs or at restaurants), you only need to get twenty or so before you could be 90% confident that you'd be able to access one of them by guessing its PIN. That seems like a pretty low barrier to me.
posted by Popular Ethics at 9:22 PM on September 19, 2012


Oh man, I remember thinking about using O, D, Q and 0 on a license plate like the xkcd cartoon. Of course, his point never occurred to, but I guess that's why he's the genius that makes XKCD and I'm the shchlub who makes comments on metafilter.
posted by symbioid at 9:22 PM on September 19, 2012


It sort of irks my inner nerdy 12-year-old too, since it's not the particular sequence of digits I went and memorized, but actually yeah if you needed ten significant figures for some real application you'd round it instead of just truncating.

I know. The world is a terrible, ugly place. It'll be okay.
posted by nebulawindphone at 9:23 PM on September 19, 2012


This research is nonsense mostly because of this:
By combining the exposed password databases I’ve encountered, and filtering the results to just those rows that are exactly four digits long [0-9] the output is a database of all the four digit character combinations that people have used as their account passwords.

Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes.
The second statement doesn't follow from the first. I must have used passwords like 1234 and 6666 hundreds of times in the last fifteen years on sites that either required a password for no reason or on sites I had zip, zero, nada intention of ever visiting again. So if the some newspaper in Wastewater Idaho wants me to register to read an article I'm more than happy to let them know I'm Elvis Presely at 123 Anywhere Street, Yourtown USA 90210 and give them a password of 1234. And these are just the sort of backwaters that are likely to a) store passwords in plain text and b) have have poor security of that plain text file.

That doesn't apply to my bank pin in any way though I don't doubt there are lots of 1234 sorts of ATM pins floating around.

Harpocrates writes "I find that pins I set using a phone or at a bank are different than numerical pins on a pc due to the different keypad configurations. (Why do keyboard number pads have a orientation anyway? )"

Because IBM made business machines IE: calculators and not phones. I've often wondered why AT&T didn't make the touch tone phone pad with the same layout as calculator pads. Probably an epic Big Endian/Little Endian story in the choice.

Ike_Arumba writes "That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense."

I've had a six digit pin (not the same one all the time) since my first debit card way back in 1987. At the time I remember thinking have a non standard length in and of itself would be a stumbling block so I asked what the max was (6) and have been using that ever since.
posted by Mitheral at 10:32 PM on September 19, 2012


If you're using a 4-digit PIN to lock your iPhone (which likely contains social networking data, financial data, private photos, etc) you should know there's a way you can use an alphanumeric password instead.
posted by IndigoRain at 5:13 AM on September 20, 2012


Everybody with 8068 is really choked right now.
posted by Beardman at 6:51 AM on September 20, 2012


Hardest PIN to guess: the last 4 digits of Pi.

I'm surprised that more people don't use the last 4 of their phone numbers. We had to ban that where I worked for an app the requires a PIN and not a password.
posted by Hactar at 8:28 AM on September 20, 2012 [3 favorites]


I'm surprised that more people don't use the last 4 of their phone numbers. We had to ban that where I worked for an app the requires a PIN and not a password.

They almost certainly do, but that's a social engineering attack that depends on knowing the person. Because those source numbers are relatively random they aren't going to show up on a table of the most used codes.
posted by jaduncan at 9:37 AM on September 20, 2012


I'm glad you're not from California, where a 5150 is a 72-hour involuntary psychiatric hold.

Um, that's why they named the album 5150.
posted by desjardins at 10:07 AM on September 20, 2012 [2 favorites]


Learn something new every day.
posted by benito.strauss at 10:34 AM on September 20, 2012


As in why are they different? Because one was based on the layout of calculators and the other on rotary phones.
There's a common urban legend that ATT made phone pads "upside down" to slow people who were good at 10-key entry so they wouldn't overload the system or whatever. But apparently what actually happened is that they tested a bunch of different designs and it turned out that the current configuration was easiest for people to learn.

They also asked some calculator people why they did the numbers the other way around, and apparently there wasn't actually any particular reason.
posted by delmoi at 10:50 AM on September 20, 2012 [1 favorite]


"e=mc2**" is on a password list? Huh? Some sort of strange RPN exponentiation? That seems like mighty obscure syntax, compared to, say, e=mc**2, which isn't on the list.

Interesting article, if one ignores the bogus logic relating this to ATM PINs and reads it as a study of numeric passwords on a low-stakes website.

Also, Hactar, who's to say there aren't many phone numbers in the list? The set of phone number suffixes isn't too different from the set of four digit numbers - you'd be hard pressed to see that in the data, without having correlated lists.
posted by eotvos at 5:32 PM on September 20, 2012


« Older Origin of the Beginning   |   Pantyhose during WWII Newer »


This thread has been archived and is closed to new comments



Post