Here’s a question, would it be more secure to choose a rare pin number or a pin number that is extremely common (ignoring obviously bad ones like 1234, 4321, meme numbers, numbers with four repeating digits, etc)?
Logic suggests that picking a rare number is better than a common one, because common ones are the ones that people would try first when attempting a bruteforce attack. Yet at the same time, personally if I was trying to brute force a pin, I’d start with obvious choices like 1234, 4321, four repeating numbers and meme numbers, and then switch to alternating between common-rare-common-rare if I was trying to brute force a pin number (starting with the most common and most rare). That’d mean the pin numbers that are the most secure when it comes to brute force attacks would be somewhere in the middle.
Granted, 4-digit pin numbers aren’t very secure considering there are a maximum of 10,000 combinations, and social engineering attacks like phishing mostly bypass the need to brute-force the combination entirely. As such, the effort would likely be inconsequential and pointless outside of not picking ridiculously bad pins like 1111, but I’m still curious.
If your goal is to access a random account as quickly as possible, why would you ever try anything other than the next most common PIN?
It’s not like Vegas where longer odds = higher payout. Less common PIN just means any given account is less likely.to use it, and therefore it’s less likely to be correct on any given attempt.
If you look at it another way, the brightness of each square on that grid is the probability that there is a prize inside. If you wanted the most prizes as quickly as possible, picking the darkest avsilsble square is always a bad choice.
If you have some degree of knowledge about the target, and know they are somewhat security savvy (but also somehow only have a 4 digit pin protecting this account) then it might be wise to check the pins that would be considered more secure. Or, at least, to perform some data processing on the source data for this graph which culls stupid pins (and remember the ones you cull to add to the end of your brute force approach), and from there continue with the highest probability.
As you said, 4 digits is not enough to make something secure to a computer. 10,000 permutations is milliseconds of computation.The only reason it’s at all secure for a credit card is because you’re generally only using the PIN for in-person transactions where there are more practical limits on attempts (Narrator: “After 2 hours and 632 attempts, the cashier began to get suspicious…”), if not hard cut offs from the bank/processor for failed attempts. If we’re being realistic, as long as your PIN isn’t in the first 3-6 numbers they can try, it’s probably secure enough in itself. Theives want low hanging fruit. Easier to try to social engineer your PIN then to manually brute force it. As long as you’re avoiding the most obvious first attempt numbers, go ahead and use your dog’s birthday or your childhood home’s address. It’s fine.
Honestly, almost any PIN is probably fine so long as you don’t have it written on the back of the card or something. Cards get locked after like 3 failed attempts, so the number itself doesn’t have to be unique or rare.
Hell - even if you gave them the first digit and the thief could eliminate 90 percent of of the remaining numbers based on probabilities, the thief would still have less than a 1:30 chance of getting the right combination before the card was locked.
Here’s a question, would it be more secure to choose a rare pin number or a pin number that is extremely common (ignoring obviously bad ones like 1234, 4321, meme numbers, numbers with four repeating digits, etc)?
Logic suggests that picking a rare number is better than a common one, because common ones are the ones that people would try first when attempting a bruteforce attack. Yet at the same time, personally if I was trying to brute force a pin, I’d start with obvious choices like 1234, 4321, four repeating numbers and meme numbers, and then switch to alternating between common-rare-common-rare if I was trying to brute force a pin number (starting with the most common and most rare). That’d mean the pin numbers that are the most secure when it comes to brute force attacks would be somewhere in the middle.
Granted, 4-digit pin numbers aren’t very secure considering there are a maximum of 10,000 combinations, and social engineering attacks like phishing mostly bypass the need to brute-force the combination entirely. As such, the effort would likely be inconsequential and pointless outside of not picking ridiculously bad pins like 1111, but I’m still curious.
If your goal is to access a random account as quickly as possible, why would you ever try anything other than the next most common PIN?
It’s not like Vegas where longer odds = higher payout. Less common PIN just means any given account is less likely.to use it, and therefore it’s less likely to be correct on any given attempt.
If you look at it another way, the brightness of each square on that grid is the probability that there is a prize inside. If you wanted the most prizes as quickly as possible, picking the darkest avsilsble square is always a bad choice.
If you have some degree of knowledge about the target, and know they are somewhat security savvy (but also somehow only have a 4 digit pin protecting this account) then it might be wise to check the pins that would be considered more secure. Or, at least, to perform some data processing on the source data for this graph which culls stupid pins (and remember the ones you cull to add to the end of your brute force approach), and from there continue with the highest probability.
As you said, 4 digits is not enough to make something secure to a computer. 10,000 permutations is milliseconds of computation.The only reason it’s at all secure for a credit card is because you’re generally only using the PIN for in-person transactions where there are more practical limits on attempts (Narrator: “After 2 hours and 632 attempts, the cashier began to get suspicious…”), if not hard cut offs from the bank/processor for failed attempts. If we’re being realistic, as long as your PIN isn’t in the first 3-6 numbers they can try, it’s probably secure enough in itself. Theives want low hanging fruit. Easier to try to social engineer your PIN then to manually brute force it. As long as you’re avoiding the most obvious first attempt numbers, go ahead and use your dog’s birthday or your childhood home’s address. It’s fine.
Honestly, almost any PIN is probably fine so long as you don’t have it written on the back of the card or something. Cards get locked after like 3 failed attempts, so the number itself doesn’t have to be unique or rare.
Hell - even if you gave them the first digit and the thief could eliminate 90 percent of of the remaining numbers based on probabilities, the thief would still have less than a 1:30 chance of getting the right combination before the card was locked.