A German-American team of IT security researchers has investigated how users choose the PIN for their cell phones and how they can be persuaded to use a more secure combination of digits. They found that six-digit PINs hardly provide more security in practice than four-digit ones. They also showed that Apple's blacklist to prevent particularly frequent PINs could be optimized and would even make more sense for Android devices.
Philipp Markert, Daniel Bailey and Prof. Dr. Markus Dürmuth from the Horst Görtz Institute for IT Security at Ruhr University Bochum (RUB) cooperated for the study with Dr. Maximilian Golla from the Max Planck Institute for Cybersecurity and Privacy Protection in Bochum and Prof. Dr. Adam Aviv from George Washington University in the US. The researchers will present the results, which they posted online in advance, at the IEEE Symposium on Security and Privacy in San Francisco in May 2020.
Extensive user study
In the study, the researchers had users assign either four- or six-digit PINs on Apple and Android devices and later analyzed how easy they were to guess. They assumed an attacker who did not know their victim and did not care whose cell phone they unlocked. Consequently, their best attack strategy would be to try the most likely PINs first.
Some of the participants in the study were free to choose their PINs. Others could only choose PINs that were not on a blocked list. If they tried to use one of the blocked PINs, they received a warning that this combination of digits was easy to guess.
For the experiment, the IT security experts used various blacklists, including the genuine one from Apple, which they obtained by having a computer test all possible PIN combinations on an I-Phone. They also produced their own blocking lists of varying complexity.
Six-digit PINs no more secure than four-digit ones
The evaluation showed that six-digit PINs do not provide more security in practice than four-digit ones. "Mathematically, of course, there is a huge difference," says Philipp Markert. With a four-digit PIN, 10.000 different combinations can be formed, with a six-digit one million. "But users have preferences for certain combinations, and some PINs are used particularly frequently, for example 123456 and 654321," explains Philipp Markert. So users are not exploiting the potential of six-digit codes. "Apparently, users currently still lack the intuition as to what makes a six-digit PIN secure," Markus Dürmuth suspects.
A reasonably chosen four-digit PIN is sufficiently secure primarily because manufacturers limit the number of times you can try to enter a PIN. Apple locks the device completely after ten incorrect entries. On an Android smartphone, you can't enter different codes in succession as quickly as you like. "You can manage to test 100 number combinations in eleven hours," explains Philipp Markert.
Lock lists can be useful
The researchers found 274 number combinations on Apple's blocking list for four-digit PINs. "But since you only have ten guesses when entering a PIN on an iPhone, the blacklist doesn't offer any security benefits," Maximilian Golla concludes. According to the researchers, the blacklist would be more helpful on Android devices since attackers could try out more PINs there.
According to the study, the ideal blocking list would have to include about 1,000 entries for four-digit PINs and be composed somewhat differently than the list that Apple currently uses. According to the study, the most common four-digit PINs are: 1234, 0000, 2580 (the digits appear vertically below each other on the number pad), 1111 and 5555.
On the I-Phone, users can ignore the warning that they have entered a frequently used PIN. The device therefore does not consistently prevent entries from being selected from the blacklist. The IT security experts also examined this aspect in their study. Some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not they wanted to enter a new PIN after the warning. The rest had to set a new PIN that was not on the list. On average, the PINs of both groups were equally difficult to guess.
More secure than unlock patterns
Another finding of the study was that four- and six-digit PINs are less secure than passwords but more secure than unlock patterns.
Original publication
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv: This PIN can be easily guessed, IEEE Symposium on Security and Privacy (SP ’20), San Francisco, USA, 2020
Press contact
Philipp Markert
Working Group Mobile Security
Horst Görtz Institute for IT Security
Ruhr University Bochum
Phone: +49 234 32 28669
E-mail: philipp.markert@rub.de
Dr. Maximilian Golla
Max Planck Institute for Cybersecurity and Privacy Protection
Phone: +49 234 32 28667
E-mail: maximilian.golla(at)csp.mpg.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.