Stay safe online – choosing a secure PIN


With the Coronavirus outbreak, shops are asking us to use contactless payments instead of cash. However, many of us don’t have a contactless card, and for payments over £40 and to draw money out of an ATM you need a PIN (personal identification number). Some other services also ask for a PIN, in fact Windows 10 tries to insist on you having a PIN to log in these days.

But how to choose a PIN that’s both secure and easy to remember? In this article, Dave shares some tips, and a technique that should help.

What you should NEVER use as your PIN

A lot of people choose a PIN that’s easy to remember, without realising they are compromising their security. You should never use any of the following as your PIN:

  • Your date of birth
  • Your spouse’s date of birth
  • Your child’s date of birth
  • Your wedding anniversary date

Why not, you may ask? Two words – social engineering! It’s really easy for attackers to find out these dates. If you’ve got a Facebook account, I could probably find all of these things out about you within about 5 minutes. Considering you are usually given 3 wrong attempts at an ATM before your account is locked, if you’ve used one of the first 3 I’m already emptying your bank account.

For the same reasons, never use your phone number, the year you left university, or any date of significance in your life. All of these things are both easy to find and easy to guess.

You should also never use an easy to remember sequence of numbers like 1234 or 0000. Hackers will always try these first. Often, a PIN that fits this pattern is a default one (one that’s programmed in by the manufacturer). Your security alarm, voicemail, CCTV system and anything else that comes with an optional PIN code will all have these set to some sort of easy to type default. The News of the World phone hacking scandal used this to exploit the voicemails of celebrities and murdered teenagers!

The next rule to remember (and I’ve said this before about passwords), is never use the same PIN twice. It should be obvious why – the same PIN number on all of your accounts means not only could I empty ALL of your bank accounts, but I could also max out ALL of your credit cards if I found your wallet lying in the road. And given that your driving licence will be in there too, I will have your address, so I might as well pop round to your house when you’re not in, disable the burglar alarm with that same PIN, and make off with your cash, jewellery, TV, laptop, etc., etc…

So after eliminating all of the dumb things someone could do, what’s left? A purely random number? An obscure date? You might think so, but we human beings are predictable beasts, and even when we think we’re being totally random, we’re actually being totally predictable. For instance, you might pick that PIN based on your interest in say, medieval history. You might choose the year of the Battle of Agincourt – 25th October 1415. So you choose either the day and month – 2510, or the year 1415. But remember, a hacker will have done his homework. He’ll have seen your Facebook posts about the Battle of Agincourt every October the 25th, so these will be two of the numbers he’ll try after trying those I mentioned at the outset. Even a random number won’t be random, because we humans like patterns, so without knowing it we pick numbers with a pattern to them. There has been extensive scientific study done on this, and I found a really interesting analysis of PIN data here. If you’re a data geek like me it’s an engrossing article.

This academic paper (Bonneau et al., 2012) concludes:

“it appears that user choice of banking PINs is not as bad as with other secrets like passwords. User management of PINs is also comparatively good, with lower rates of reuse and sharing and many users reporting serious thought about PIN security. However, the skew introduced by user choice may make manual guessing by thieves worthwhile—a lost or stolen wallet will be vulnerable up to 8.9% of the time”

In other words, a hacker will be successful in guessing your PIN almost 1 in 10 times. I don’t fancy those odds!

So how do you choose a secure yet memorable PIN?

My method for choosing 4-digit PINs

My method for choosing 4-digit PINs isn’t rocket science, and is based on ONE simple rule.

Every bank card has a 16-digit card number on it. Something like this:

4929 8516 4478 9129

You’ll notice that it’s split into 4 groups of 4 numbers. So my method is to pick a 4-digit number in the sequence 1111, 1112, 1113, 1114, 1121, 1122, 1123, 1124, 1131, 1132… 4444, and use this as a ‘master PIN’ to unlock any of your other PIN numbers.

Say for instance I pick 1111 (for ease of explanation). I then simply use this to pick the number at the first position in each group:

4849

And that forms a unique PIN for that particular card. Of course, 1111 is easy to guess, so I might pick something more obscure like 4142. This gives me a unique PIN for this card of:

9881

It will work for any card, and all you have to remember is ONE number – 4142 – to unlock all of the unique PIN numbers for all of your cards.

Of course, this will only work for credit and debit cards, and only for 4-digit numbers. And you should never, EVER tell anyone your ‘master’ PIN.

What about longer PINs?

It’s not often you will need to use a longer PIN, but most won’t be any longer than 8 digits. My first suggestion is to use a combination of two of your securely generated 4-digit PINs. Of course, this introduces a vulnerability in terms of the fact that you are actually breaking one of the golden rules – don’t reuse PINs. So it depends how paranoid you are.

You could also use the current date and time – my clock currently says 16:22 on the 10th April. So that would give me a PIN of 16221004. Not easy to remember, but pretty secure, as it’s a random number (or as close to random as a fallible, predictable hairless ape can get!)

You could use a random number generator. Google have built a tool to do this here. Type 11111111 into the ‘Min’ box and 99999999 into the ‘Max’ box and click generate. I just did and it came up with 66985165. Good enough.

The only problem you have now is remembering it. The only advice I can offer is to have a read of this article to help you improve your ability to remember numbers. But don’t write it down. Really, don’t. Ever.

Stay at home, and stay safe.

References

Bonneau, J., Preibusch, S. and Anderson, R. (2012) ‘A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs’, Keromytis, A. D. (ed), Financial Cryptography and Data Security, Lecture Notes in Computer Science, Berlin, Heidelberg, Springer, pp. 25–40 [Online]. DOI: 10.1007/978-3-642-32946-3_3.