Comments on: And change the combination on my luggage!

And change the combination on my luggage!

fings — Wed, 19 Sep 2012 12:11:07 -0800

What are the most common and least common 4-digit PINs? Using data from recent password database leaks, an analysis of PINs. (via Schneier)

By: carsonb

carsonb — Wed, 19 Sep 2012 12:16:33 -0800

This is presumably why I have to look at a picture, type a pass phrase and user number, and also mouse-click my 6-digit PIN to log into my bank account these days.

By: dabug

dabug — Wed, 19 Sep 2012 12:20:19 -0800

Interesting article and +12345 points for the post title.

By: ColdChef

ColdChef — Wed, 19 Sep 2012 12:21:47 -0800

Bosco.

By: Burhanistan

Burhanistan — Wed, 19 Sep 2012 12:22:33 -0800

I recently stopped using the same PIN that I started using when I set up my first debit card 20 years ago in high school. I miss that PIN.

By: inturnaround

inturnaround — Wed, 19 Sep 2012 12:22:50 -0800

Bosco That episode always bothered me. When did ATMs use alphas?

By: muddgirl

muddgirl — Wed, 19 Sep 2012 12:23:06 -0800

I actually really like that analysis... so of course I have to minorly nitpick at it:

A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

Presuming from context that by 'all passwords' he means 'all PIN codes,' I think there's an unspoken assumption here - that the sample of users who use a 4-digit number as their password is a reasonable representation of all people who have to use a 4-digit banking PIN code. I would want to see a more rigorous analysis of this assumption before accepting it, because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords.

By: lesbiassparrow

lesbiassparrow — Wed, 19 Sep 2012 12:26:36 -0800

I was using dates of wars for a long time. And then I ran out of wars (or at least wars whose dates I could actually remember),* which should say something about having too many pins that you have to change on a regular basis. Now I'm on to massacres. I don't think I'm going to run out of those. *Which was a surprising number. Thank you history teachers!

By: Tell Me No Lies

Tell Me No Lies — Wed, 19 Sep 2012 12:28:17 -0800

because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords. The hacked passwords were leaked by having the master database compromised, not the individual passwords.

By: Vorteks

Vorteks — Wed, 19 Sep 2012 12:28:48 -0800

I actually really like that analysis... so of course I have to minorly nitpick at it: A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

Plus you have to remember that most debit cards/ATM cards are automatically deactivated after 3 or so incorrect PIN entries. So even if every card in the world had one of those 20 combinations, the chances of correctly guessing the pin before the card was locked down would only be 3 in 20, or 15%.

By: GenjiandProust

GenjiandProust — Wed, 19 Sep 2012 12:29:04 -0800

The people with the least-frequently used PIN number are cursing right now. Nice going, Analysts!

By: jaduncan

jaduncan — Wed, 19 Sep 2012 12:29:30 -0800

Yes, this is flawed. It should probably be titled "what idiots who can't pick passwords use for their passcodes", but even setting this aside it's quite rational to have a easy to remember code for a junk commenting account and still have at least a birthdate or something more than 0000 on one's ATM cards.

By: Ceci n'est pas un sockpuppet

Ceci n'est pas un sockpuppet — Wed, 19 Sep 2012 12:30:29 -0800

Dang, I'm not in the top twenty, but choosing my 9th grade locker number does indeed put me in the huge 19XX segment of the population. Maybe next time I have to replace my debit card I'll switch it up.

By: perhapses

perhapses — Wed, 19 Sep 2012 12:30:43 -0800

My nine-year-old daughter's friend was over one day with her iPod Touch. She had activated the access code function and was amazed when my daughter "cracked" it on the first try. 1234. So she challenged my daughter to create an access code on her iPhone (an older, bricked one) so she could attempt to break into it. My daughter used our street address and her poor friend was unable to get it. I was amazed at how brilliant her friend thought my daughter was for being able to do that.

By: muddgirl

muddgirl — Wed, 19 Sep 2012 12:30:45 -0800

One of the nice things about memorizing the first 50 digits of Pi was that it generates a lot of nice 'random' 4-digit numbers (although if a hacker knew I was using that scheme, it would be more vulnerable). Note to hackers: I don't use that scheme anymore.

By: figurant

figurant — Wed, 19 Sep 2012 12:31:13 -0800

Highly amused by the prominence of 8675309 in the 7-digit list.

By: carsonb

carsonb — Wed, 19 Sep 2012 12:32:06 -0800

"what idiots who can't pick passwords use for their passcodes" Don't forget people with Credit Union-issued cards that use those networked standalone ATMs. Some of those cards are issued with a set PIN and it's a real hassle to get them changed.

By: Shepherd

Shepherd — Wed, 19 Sep 2012 12:32:55 -0800

I created my PIN using two related math facts: first using the first two-digit number to be surrounded by primes, then following those two digits with the smallest number to be surrounded by numbers with the same number of divisors as it has. Guaranteed unguessable! Foolproof!

By: shothotbot

shothotbot — Wed, 19 Sep 2012 12:34:01 -0800

Good thing no one here uses estimates of physical constants as a PIN!

By: kjh

kjh — Wed, 19 Sep 2012 12:34:14 -0800

Am I the only one disappointed that there's no link to the full list?

By: Malor

Malor — Wed, 19 Sep 2012 12:35:11 -0800

I just use what the bank assigns, on the theory that it will be truly random. Although I should probably nudge them to make something longer, as four digits is awfully short.

By: GenjiandProust

GenjiandProust — Wed, 19 Sep 2012 12:35:20 -0800

Note to hackers: I don't use that scheme anymore. Who do you think you are fooling with that disclaimer?

By: jaduncan

jaduncan — Wed, 19 Sep 2012 12:37:43 -0800

Although I should probably nudge them to make something longer, as four digits is awfully short. Good luck with that; it will only happen when an incredibly wide base of installed hardware and code assumptions finally die out. People get annoyed if their PIN suddenly doesn't work on their holiday in Fiji.

By: logicpunk

logicpunk — Wed, 19 Sep 2012 12:37:44 -0800

My PIN used to be the first word I'd say when I realized I'd forgotten my PIN.

By: Spatch

Spatch — Wed, 19 Sep 2012 12:38:12 -0800

That episode always bothered me. When did ATMs use alphas? The bank my family used twenty-five years ago had ATMs with telephone-style number pads that had letters over the numbers and everything. We able to choose a five-digit PIN too, so our ATM passcode became 74337. We raised sheep, y'see. I feel perfectly safe giving out this information considering that today the bank account, family unit and indeed the bank itself do not exist in their 1987 configurations. Unless you're a stinking time-traveller in which case oh well, have fun, but please leave enough for us to go to Disney World in 1988 because that was really awesome. At the time I remember being more impressed by the fact that we were able to choose our PIN, because before that we had to memorize the one the bank gave us and what fun was that?

By: Holy Zarquon's Singing Fish

Holy Zarquon's Singing Fish — Wed, 19 Sep 2012 12:39:21 -0800

My PIN used to be the first word I'd say when I realized I'd forgotten my PIN. "Ouch"?

By: Jpfed

Jpfed — Wed, 19 Sep 2012 12:40:02 -0800

because if we take a sample of all hacked passwords and then only select a subset of people with 'weak' passwords, pre-selecting people with the habit of picking weak passwords. The hacked passwords were leaked by having the master database compromised, not the individual passwords. I don't think muddgirl's point was about "these people were dumb enough to have their password compromised"; it was "these people were dumb enough to have chosen a 4-digit password". People can have whatever they want for their password. Some people, for whatever reason, choose 4-digit numbers for their passwords instead of "correct horse battery staple" or whatever. Those people may be predisposed to picking weak PINs; after all, we already know that they chose a weak password.

By: wcfields

wcfields — Wed, 19 Sep 2012 12:41:48 -0800

I found this tid-bit interesting that these ATM PINs may have come via Korea.

kijin via the Hacker News post:
If you're wondering why 1004, a seemingly random number, is so close to the top of the list -- something that the author does not investigate in any detail -- my guess is that the database he used contains some major leaks from Korea. 1004 is a fairly popular password there, because it is one of the few 4-digit numbers that sound like actual words in Korean. 1004 sounds like "angel" (cheonsa). So if you're actually trying to break into people's accounts, it would be advantageous to know your victims' ethnicity. It's quite likely that cards stolen in Koreatown will have a different distribution of PIN numbers than those stolen in Chinatown.

By: theodolite

theodolite — Wed, 19 Sep 2012 12:44:42 -0800

Why is "1004" so high on the list? The analysis doesn't make any special note of it, but it's the only one in the top 10 that isn't just a repeated number or "1234"

By: theodolite

theodolite — Wed, 19 Sep 2012 12:45:34 -0800

Thanks wcfields for answering my question while I was still typing it.

By: nebulawindphone

nebulawindphone — Wed, 19 Sep 2012 12:45:52 -0800

When I got my first bank account, I used my boyfriend's birthday for the PIN. Only it turns out I remembered his birthday wrong, so my PIN is actually "That one date when I thought my boyfriend was born." And then we broke up shortly afterwards. How about THAT for security!

By: Ad hominem

Ad hominem — Wed, 19 Sep 2012 12:48:27 -0800

A actual criminal asked me this once. He was a guy who hung around my building, just kind of loafing. He knew I was some kind of computer whiz and asked me, "if you had a debit card you found in an envelope in a pile of mail, how could you get the pin". I told him he could never guess it at the ATM, search the rest of the mail for the second letter that contained the PIN. A couple weeks later I heard my mom complaining on the phone about mysterious 500$ debits on her card. I felt like a real dick. I had to confess I had told the guy how to steal her money.

By: ColdChef

ColdChef — Wed, 19 Sep 2012 12:49:51 -0800

Why is "1004" so high on the list? That's a big 10-4, good buddy!

By: AugieAugustus

AugieAugustus — Wed, 19 Sep 2012 12:51:52 -0800

I felt like a real dick. posted by Ad hominem at 2:48 PM on September 19 [+] [!] Eponysterical! On topic: I find it intriguing that on average the least common 4-digiters are significantly larger numbers than the most common 4-digiters.

By: muddgirl

muddgirl — Wed, 19 Sep 2012 12:53:40 -0800

it was "these people were dumb enough to have chosen a 4-digit password" I hesitate to use the word "dumb" (because if I need a password for a site that cares so much about security that they're storing passwords in clear text, there's no reason to waste my time on a super-strong password, as long as it's unique) - but essentially, yes. I don't think it's axiomatic that a sample of weak passwords is representative of all PIN numbers.

By: whuppy

whuppy — Wed, 19 Sep 2012 12:56:00 -0800

By: Sys Rq

Sys Rq — Wed, 19 Sep 2012 12:57:46 -0800

Blah blah blah luggage!

By: WaylandSmith

WaylandSmith — Wed, 19 Sep 2012 12:59:31 -0800

I happily used 8 digit PINs for by bank card for years, thinking I was clever, until I travelled overseas and had no way to access my money, nor any way to change the PIN remotely. Anybody know how pervasive >4 digit PINs are overseas these days? I figure Europe's fine, but what about Asia?

By: ceribus peribus

ceribus peribus — Wed, 19 Sep 2012 13:01:59 -0800

It's hard for me to remember the actual digits in my PIN; I just push the same twisty line of buttons each time and rely on the fact that the number keys are always in the same configuration.

By: blue_beetle

blue_beetle — Wed, 19 Sep 2012 13:03:20 -0800

I do all my PINs in hex.

By: Sys Rq

Sys Rq — Wed, 19 Sep 2012 13:04:21 -0800

By: inigo2

inigo2 — Wed, 19 Sep 2012 13:04:26 -0800

By: Sys Rq

Sys Rq — Wed, 19 Sep 2012 13:04:47 -0800

Ugh. Made up of LETTERS. D'doy.

By: MtDewd

MtDewd — Wed, 19 Sep 2012 13:07:56 -0800

Oh, and just FYI: Using a PIN made up of numbers, or by the position of the keys, is a great idea until you inevitably run into that machine with the letters on different numbers, or the keys in a different order, and then you're fucked. This happened to me decades ago when I had a phone number memorized by the keypress positions, and I was faced with a rotary phone dial. My solution- I drew out a picture of a phone keyboard, and then watched as my muscle memory took over.

By: scruss

scruss — Wed, 19 Sep 2012 13:09:32 -0800

It pleases me that this shows the statistical insignificance of Canada, as every Canadian male over the age of 36 has the PIN '2112'.

By: Sys Rq

Sys Rq — Wed, 19 Sep 2012 13:14:30 -0800

My solution- I drew out a picture of a phone keyboard, and then watched as my muscle memory took over. My solution was to stubbornly keep trying the same wrong thing until I hit my maximum tries (there is such a thing, apparently) and had to go to the bank and reset my code.

By: Karmakaze

Karmakaze — Wed, 19 Sep 2012 13:15:47 -0800

This happened to me decades ago when I had a phone number memorized by the keypress positions, and I was faced with a rotary phone dial.

I used to have that problem with BBS phone numbers. I knew them by typing them on the numbers at the top of my keyboard. But if someone asked me for a BBS number, I'd have to pretend-type to recreate them.

By: Harpocrates

Harpocrates — Wed, 19 Sep 2012 13:23:11 -0800

I find that pins I set using a phone or at a bank are different than numerical pins on a pc due to the different keypad configurations. (Why do keyboard number pads have a orientation anyway? )

By: Tell Me No Lies

Tell Me No Lies — Wed, 19 Sep 2012 13:24:10 -0800

I don't think muddgirl's point was about "these people were dumb enough to have their password compromised"; it was "these people were dumb enough to have chosen a 4-digit password". People can have whatever they want for their password. Ah, I see the confusion. Unfortunately your second statement is untrue. Many ATM machines around the world require a four digit pin. I found that out the hard way when I went on an extended multi-country trip and was frequently unable to access funds due to my 6 digit pin. If as has been suggested this sample was obtained from Korea the users likely had no say in the pin length.

By: Jpfed

Jpfed — Wed, 19 Sep 2012 13:27:22 -0800

Ah, I see the confusion. Unfortunately your second statement is untrue. Many ATM machines around the world require a four digit pin. I found that out the hard way when I went on an extended multi-country trip and was frequently unable to access funds due to my 6 digit pin. The article did not use actual PINs for its analysis though. Of course PINs are often restricted to four digits. But this used compromised passwords, not compromised PINs. From the article, my emphasis:

Obviously, I don't have access to a credit card PIN number database. Instead I'm going to use a proxy. I'm going to use data condensed from released/exposed/discovered password tables and security breaches.

By: klangklangston

klangklangston — Wed, 19 Sep 2012 13:47:41 -0800

Heh. My ATM card's pin is one of the five least used pins. Guess I'll change it to 1235.

By: _paegan_

_paegan_ — Wed, 19 Sep 2012 13:57:15 -0800

I'm relieved my PIN was on none of the lists. I use the day of my two favorite holidays... one of my fav holidays is obscure.

By: adamdschneider

adamdschneider — Wed, 19 Sep 2012 14:03:15 -0800

I'm not telling any of you a goddamned thing about my PIN.

By: Tell Me No Lies

Tell Me No Lies — Wed, 19 Sep 2012 14:35:08 -0800

Obviously, I don't have access to a credit card PIN number database. Instead I'm going to use a proxy. I'm going to use data condensed from released/exposed/discovered password tables and security breaches. Ah, missed that. I retract my earlier statements.

By: deborah

deborah — Wed, 19 Sep 2012 14:43:55 -0800

I recently changed both PINS to the same thing. I laugh at danger!

By: nebulawindphone

nebulawindphone — Wed, 19 Sep 2012 14:47:56 -0800

I'm not telling any of you a goddamned thing about my PIN. Too late — you just did! Quick, scan his comment history! Figure out which four-digit numbers he hasn't told us anything about!

By: kurumi

kurumi — Wed, 19 Sep 2012 14:56:12 -0800

Why is "1004" so high on the list? A lot of people are fans of comb jellies?

By: mathowie

mathowie — Wed, 19 Sep 2012 15:10:23 -0800

I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150. Because everyone remembers when Van Halen started to suck, and it was 5150.

By: percor

percor — Wed, 19 Sep 2012 15:14:50 -0800

I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150. ...and with that one foolish slip, admin privileges are MINE!

By: Holy Zarquon's Singing Fish

Holy Zarquon's Singing Fish — Wed, 19 Sep 2012 15:16:55 -0800

Not so fast - his MeFi password is an unhackable three digits!

By: carbide

carbide — Wed, 19 Sep 2012 15:27:15 -0800

Stay gold, the 0.154% of five-digit grown-ups using 42069.

By: nebulawindphone

nebulawindphone — Wed, 19 Sep 2012 15:31:05 -0800

You mean the entire population of Melber, Kentucky?

By: garius

garius — Wed, 19 Sep 2012 15:56:41 -0800

Why do keyboard number pads have a orientation anyway? As in why are they different? Because one was based on the layout of calculators and the other on rotary phones.

By: Xoebe

Xoebe — Wed, 19 Sep 2012 16:05:08 -0800

As the only thing closest to an IT guy we had, I was The Administrator to our modest network. Then one day I was sick, and you guessed it - the server went kerflooey and nobody could do a thing about it. The boss called me at home, and asked for my password, but I had no idea what it was. I used a pattern of jagged lines on the keyboard. I had to climb out of bed and find a keyboard before I could tell him what the password was.

By: Ike_Arumba

Ike_Arumba — Wed, 19 Sep 2012 16:31:01 -0800

Bosco That episode always bothered me. When did ATMs use alphas? That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense.

By: limeonaire

limeonaire — Wed, 19 Sep 2012 16:54:41 -0800

Agh, I wish he would edit that thing to replace every instance of "PIN number" with "PIN." 'Cause otherwise, this is a great piece.

By: benito.strauss

benito.strauss — Wed, 19 Sep 2012 16:59:41 -0800

I have one rule: every 4-digit PIN I have to share with family/coworkers is set to 5150. I'm glad you're not from California, where a 5150 is a 72-hour involuntary psychiatric hold. (I spent a summer in college doing data entry at a state hospital. I must have typed that number many thousand times.)

By: ob1quixote

ob1quixote — Wed, 19 Sep 2012 17:39:25 -0800

Wait, wait. It took until the 24th comment, nearly five hours after it was posted on MetaFilter, for anyone to say anything about the "PIN Number" thing? How is this possible? <soapbox>Remember kids, it's 'PIN', not 'PIN Number'. You wouldn't say 'Personal Identification Number Number', so for the love of Christ don't say 'PIN Number'. Same deal with 'ATM Machine', 'NIC Card', etc.</soapbox>

By: Rodrigo Lamaitre

Rodrigo Lamaitre — Wed, 19 Sep 2012 17:41:41 -0800

That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense. And what's the deal with sitcoms that don't adhere to reality? I mean, their writers are human. I know they've seen an ATM. Who are these people?

By: sourwookie

sourwookie — Wed, 19 Sep 2012 17:49:15 -0800

I ctl+f'd the article for my PIN. It did not appear.

By: Shepherd

Shepherd — Wed, 19 Sep 2012 18:05:38 -0800

[steals mathowie's bank card, panics, spends 15 minutes trying to type OU812 into an ATM]

By: lungtaworld

lungtaworld — Wed, 19 Sep 2012 18:18:47 -0800

Not a PIN, but I suppose that "E=MC2" would not be a good password?

By: benito.strauss

benito.strauss — Wed, 19 Sep 2012 18:21:35 -0800

Remember kids, it's 'PIN', not 'PIN Number'. You wouldn't say 'Personal Identification Number Number', .... <steals_soapbox> But I would definitely say "PIN number". As do millions of others, and we are all perfectly well understood. The goal of language is communication and clarity; efficiency is way down on the scale of what's important. In fact we throw in tons of redundancy to ensure the robustness of our language — each letter conveys about 1 bit of information, which we wastefully encode with log₂ 26 ≈ 4.7 bits. </steals_soapbox>

By: acb

acb — Wed, 19 Sep 2012 18:24:01 -0800

Don't forget people with Credit Union-issued cards that use those networked standalone ATMs. Some of those cards are issued with a set PIN and it's a real hassle to get them changed. I recall reading once (I think it may have been in The Register) that, for a while in the 1980s, all bank cards issued in the UK were factory-set to one of three PINs. When this was discovered, the powers that be had to quickly scrap and reissue all the cards before anyone realised exactly the reason for the recall and the financial system collapsed.

By: Lentrohamsanin

Lentrohamsanin — Wed, 19 Sep 2012 18:24:50 -0800

Am I the only one disappointed that there's no link to the full list? Oh I've got a copy. Shoot me your PIN and I'll look it up for you.

By: RobotHero

RobotHero — Wed, 19 Sep 2012 18:57:18 -0800

The price of a cheese pizza and a large soda at Panucci's Pizza.

By: googly

googly — Wed, 19 Sep 2012 18:57:57 -0800

My solution was to stubbornly keep trying the same wrong thing until I hit my maximum tries (there is such a thing, apparently) and had to go to the bank and reset my code. Me too! Except this particular ATM was in a Barcelona train station, and my nearest bank branch was 6000 miles away.

By: fings

fings — Wed, 19 Sep 2012 19:21:10 -0800

I suppose that "E=MC2" would not be a good password? It definitely would not be. The RockYou password list includes: e=mc2, e=mc^2, e=mc2**, and e=mcsquared, and password crackers regularly check upper and lower case versions of passwords.

By: yaymukund

yaymukund — Wed, 19 Sep 2012 20:06:35 -0800

Hurrah for math! In position #17 of the ten digit password list we get 3141592654 (The first few digits of Pi)

Math schmath— those aren't even the correct digits!

By: muddgirl

muddgirl — Wed, 19 Sep 2012 20:32:15 -0800

Math schmath— those aren't even the correct digits! That's the beauty of it - no one things to check the wrong digits of pi!

By: Popular Ethics

Popular Ethics — Wed, 19 Sep 2012 21:22:22 -0800

Vorteks: Plus you have to remember that most debit cards/ATM cards are automatically deactivated after 3 or so incorrect PIN entries. So even if every card in the world had one of those 20 combinations, the chances of correctly guessing the pin before the card was locked down would only be 3 in 20, or 15%. Right, but 15% is a really high number! Given that bank cards are relatively easy to steal (you can pickpocket wallets or install skimmers on ATMs or at restaurants), you only need to get twenty or so before you could be 90% confident that you'd be able to access one of them by guessing its PIN. That seems like a pretty low barrier to me.

By: symbioid

symbioid — Wed, 19 Sep 2012 21:22:42 -0800

Oh man, I remember thinking about using O, D, Q and 0 on a license plate like the xkcd cartoon. Of course, his point never occurred to, but I guess that's why he's the genius that makes XKCD and I'm the shchlub who makes comments on metafilter.

By: nebulawindphone

nebulawindphone — Wed, 19 Sep 2012 21:23:57 -0800

It sort of irks my inner nerdy 12-year-old too, since it's not the particular sequence of digits I went and memorized, but actually yeah if you needed ten significant figures for some real application you'd round it instead of just truncating. I know. The world is a terrible, ugly place. It'll be okay.

By: Mitheral

Mitheral — Wed, 19 Sep 2012 22:32:45 -0800

This research is nonsense mostly because of this:

By combining the exposed password databases I've encountered, and filtering the results to just those rows that are exactly four digits long [0-9] the output is a database of all the four digit character combinations that people have used as their account passwords. Given that users have a free choice for their password, if users select a four digit password to their online account, it's not a stretch to use this as a proxy for four digit PIN codes.

The second statement doesn't follow from the first. I must have used passwords like 1234 and 6666 hundreds of times in the last fifteen years on sites that either required a password for no reason or on sites I had zip, zero, nada intention of ever visiting again. So if the some newspaper in Wastewater Idaho wants me to register to read an article I'm more than happy to let them know I'm Elvis Presely at 123 Anywhere Street, Yourtown USA 90210 and give them a password of 1234. And these are just the sort of backwaters that are likely to a) store passwords in plain text and b) have have poor security of that plain text file. That doesn't apply to my bank pin in any way though I don't doubt there are lots of 1234 sorts of ATM pins floating around. Harpocrates writes "I find that pins I set using a phone or at a bank are different than numerical pins on a pc due to the different keypad configurations. (Why do keyboard number pads have a orientation anyway? )" Because IBM made business machines IE: calculators and not phones. I've often wondered why AT&T didn't make the touch tone phone pad with the same layout as calculator pads. Probably an epic Big Endian/Little Endian story in the choice. Ike_Arumba writes "That, plus: what ATMs have 5-digit PINs? Aren't they nearly all 4-digit? Or should I say, back in '91-ish when that Seinfeld episode aired?? This has always bothered me tremendously... makes no sense." I've had a six digit pin (not the same one all the time) since my first debit card way back in 1987. At the time I remember thinking have a non standard length in and of itself would be a stumbling block so I asked what the max was (6) and have been using that ever since.

By: IndigoRain

IndigoRain — Thu, 20 Sep 2012 05:13:06 -0800

If you're using a 4-digit PIN to lock your iPhone (which likely contains social networking data, financial data, private photos, etc) you should know there's a way you can use an alphanumeric password instead.

By: Beardman

Beardman — Thu, 20 Sep 2012 06:51:45 -0800

Everybody with 8068 is really choked right now.

By: Hactar

Hactar — Thu, 20 Sep 2012 08:28:30 -0800

Hardest PIN to guess: the last 4 digits of Pi. I'm surprised that more people don't use the last 4 of their phone numbers. We had to ban that where I worked for an app the requires a PIN and not a password.

By: jaduncan

jaduncan — Thu, 20 Sep 2012 09:37:28 -0800

I'm surprised that more people don't use the last 4 of their phone numbers. We had to ban that where I worked for an app the requires a PIN and not a password. They almost certainly do, but that's a social engineering attack that depends on knowing the person. Because those source numbers are relatively random they aren't going to show up on a table of the most used codes.

By: desjardins

desjardins — Thu, 20 Sep 2012 10:07:42 -0800

I'm glad you're not from California, where a 5150 is a 72-hour involuntary psychiatric hold. Um, that's why they named the album 5150.

By: benito.strauss

benito.strauss — Thu, 20 Sep 2012 10:34:48 -0800

Learn something new every day.

By: delmoi

delmoi — Thu, 20 Sep 2012 10:50:17 -0800

As in why are they different? Because one was based on the layout of calculators and the other on rotary phones.

There's a common urban legend that ATT made phone pads "upside down" to slow people who were good at 10-key entry so they wouldn't overload the system or whatever. But apparently what actually happened is that they tested a bunch of different designs and it turned out that the current configuration was easiest for people to learn. They also asked some calculator people why they did the numbers the other way around, and apparently there wasn't actually any particular reason.

By: eotvos

eotvos — Thu, 20 Sep 2012 17:32:16 -0800

"e=mc2**" is on a password list? Huh? Some sort of strange RPN exponentiation? That seems like mighty obscure syntax, compared to, say, e=mc**2, which isn't on the list. Interesting article, if one ignores the bogus logic relating this to ATM PINs and reads it as a study of numeric passwords on a low-stakes website. Also, Hactar, who's to say there aren't many phone numbers in the list? The set of phone number suffixes isn't too different from the set of four digit numbers - you'd be hard pressed to see that in the data, without having correlated lists.