An observation about 4 digit PIN's. They're even weaker than you might think just from "doing the math" at least in some cases. Sure, there's 10000 combinations to search through if you're trying to brute force one, but I'd bet money that in most cases you don't need to search anywhere near that many.
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
The lock on your front door is more secure than the lock on your bedroom door. This tradeoff is for convenience, of course.
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
> A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
If it's ok to be so weak that it's trivial to enter like this, why have the lock at all? The cynical (and probably accurate) answer is that it's security theater designed to give customers warm fuzzy feelings cheaply and with low risk of lockout calls and maintainance issues. It does basically nothing to keep someone from taking your stuff.
Probably worth noting that using another PIN like that to enter a storage facility is almost certainly a breach of terms of use. Such that, if you did anything in there that is not ok with everyone, they have easy legal recourse against you.
My mini storage place issued me a code that was just the number of my box and the year I was born. Knowing this, I could probably brute force someone else’s code in 30 seconds.
I'm sure they have cameras that could trace things back to you.
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
This reminds me of when I was in HS. There was a auto car wash that would print a number on a receipt for one to enter and get a carwash with. One day for whatever reason I just punched in 12 random numbers and it worked. And thats how I got free car washes all through high school...
> in most cases you don't need to search anywhere near that many
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
And even if the number is randomly generated, many devices accept any string of digits that end with the correct four digits. Pressing "12345" actually tests both codes "1234" and "2345".
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
Also true of those old "lockbox" key lockers that real estate agents use to "protect" the keys to your house.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
To be fair that was decades ago. The mini-storage place I use now asks for your unit # AND your PIN. So it would be a lot harder to guess like described above.
Yes! Back in the 1980s when long distance telephone was a thing, I used to dial (301) 737-2051 followed by a 5 digit pin to get access to a service that the let me enter a long distance call. It only took about 20-30 manual attempts for me to guess a valid 5 digit PIN! I'd just increment my guesses by 1 each time.
It's apparently the California law section number for restraining a mentally unwell person or something, so has law enforcement and slang usage, and there's a 1986 chart-topping song named after it. (I'd never heard of it either, but I'm not Californian.)
I had the same question. It is the title of a Van Halen record album, also a section of the California legal code related to mental health, according to a simple search.
Its the famous law for involuntary mental lockup in California, then referenced a lot in pop culture, probably most notably with a Van Halen album named after it. Its used in a lot of jokes, but also oppressively. I think we've seen some divorce court releases and such on how to "5150 my wife," how cops abuse it, etc.
The biggest job of the front entrance gate at a mini-storage business is to keep random people from loitering in the area, so the cameras(/hypothetical people watching the feeds) have an easier time witnessing a break-in.
> Almost one in 10 people use the same four-digit PIN
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
By counting grid points it looks like codes in the form 0[1-9][32-99] are the least common with a few exceptions (like 0990 or 0987).
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
Wish as you moused over the grid it would tell you the numerical value, or at least the one were on with precision so I could hover over mine (as well as others).
You made me wonder what my smartphone PIN actually is and now I can only access the device with the fingerprint reader. Usually my hands know what PIN to use, but apparently not when the brain gets involved. Guess I have to wait until I forget that I don't know that PIN.
Readit News
Case in point: I had a unit at a mini-storage place once. And you needed a 4 digit PIN to get through the gate. And I forgot the PIN I used. I was sitting at the gate for a minute, staring at the keypad and realized "wait... hundreds of people have PINs in this system and the system doesn't care which one you use". So I just needed a PIN that somebody used. So I started with years that would have been reasonable birth years for an average adult at that time and starting going up. I think it took about 6 tries to find a valid PIN.
Now granted, this is different than trying to brute force a specific person's PIN. But even then, I expect that in many cases an informed search will crack it a lot faster than a purely sequential search or a random search. Using common birth years, well known numbers like "5150", "1234", "4321", etc. is probably going to work a lot of times.
A entrance to a mini-storage place is probably OK to be weak. Presumably, you are required to have a proper lock on your own unit. Likewise, the PIN is generally the 2nd factor (along with "something you have") for important things. I'm OK with the convenience of having only a 4 digit PIN on my ATM card since I can reasonably protect & deactivate the card. If someone forces me to enter my pin under duress, it doesn't really matter how many digits it is.
You'd like the entrance to be strong, because access to the entrance grants you secluded access to all the units, and angle grinders beat locks in seconds, proper locks in just a few more seconds.
Of course, cars beat entrance gates pretty easily too.
"How about (digits)?"
"You can't use that one. Someone else has already chosen that."
"Wait, now I know someone else's PIN code. I could use that and it'd be logged under their name."
In my mother tongue there's a saying that that roughly translates to "The lock on the door isn't there to keep you out. It's there to communicate that you're not wanted there."
But this is coming from a culture that's rather communal where shared property is often the default.
If the pin is chosen randomly with a uniform distribution over the 0000 to 9999 range, then the average brute force search will probe 5000.5 combinations.
I'm sure there's an optimal sequence of keypresses that tests all 10000 codes in something like 30,000 keypresses rather than the naive 40,000.
https://en.wikipedia.org/wiki/De_Bruijn_sequence
It seems that you can do it in 10003 key presses. Calculation for this this exact example is in the Wikipedia page.
This made me uncomfortable when I was selling a house, so naturally I wrote some code to generate a string of digits that would cover the full solution space most efficiently.
Armed with this "master key", I had the lockbox open in negligible time. Honestly I think it was just a few minutes, and I was about halfway through the string.
This let me put the key out only when a showing was happening, and I brought the lockbox to the closing, which baffled the real estate agent.
“Which password?”
“Any password.”
“Hunter2”
“Welcome!”
* https://www.youtube.com/watch?v=OFxg1nB9yQ8
https://en.wikipedia.org/wiki/IBM_5150
Poster: "I was ripping my dirt bike out in the snow and got pulled over!"
Commenter 1: "What for?"
Commenter 2: "5150."
Barcroft Station in California (elevation 3800 m) has house number 5150 over the door. You'd have to be crazy to want to work there.
https://www.dictionary.com/e/slang/5150/
Deleted Comment
Deleted Comment
I can't think of the PIN 1234 without immediately thinking of Dark Helmet:
"So the combination is one, two, three, four, five? That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!" https://www.youtube.com/watch?v=7rSmMm-7SVA
I suspect this is leading zero bias: a leading zero is not meaningful mathematically and we tend to drop it. The exceptions are dates. The day first block doesn't extend vertically into an unused area but the month first one drops off a cliff around 32 because no month has 32 days.
http://www.datagenetics.com/blog/september32012/
Most common PIN codes (2012) - https://news.ycombinator.com/item?id=40359736 - May 2024 (88 comments)
PIN number analysis (2012) - https://news.ycombinator.com/item?id=17670173 - Aug 2018 (72 comments)
Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)
The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)
PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)
PIN number analysis - https://news.ycombinator.com/item?id=5124024 - Jan 2013 (82 comments)
PIN Number Analysis - https://news.ycombinator.com/item?id=4654337 - Oct 2012 (2 comments)
Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)
We've replaced password sharing with PIN sharing.
https://www.reddit.com/r/dataisbeautiful/comments/1cn7l7r/oc...
Also consider this scene from Trainspotting 2: https://www.youtube.com/watch?v=2EQCpQbUrzI :)